diff --git a/debian-11/apps/apt-cacher-ng/apt-cacher-ng.sh b/debian-11/apps/apt-cacher-ng/apt-cacher-ng.sh new file mode 100644 index 0000000..dff3063 --- /dev/null +++ b/debian-11/apps/apt-cacher-ng/apt-cacher-ng.sh @@ -0,0 +1,27 @@ +#!/bin/bash + +if [ -d "/var/cache/apt-cacher-ng" ]; then + chown apt-cacher-ng:apt-cacher-ng apt-cacher-ng +fi + +apt install -y rinetd apt-cacher-ng + +cat > /etc/apt-cacher-ng/backend_archlx << "EOF" +#### HTTPS not supported #### + +http://archlinux.puzzle.ch/ +EOF +systemctl restart apt-cacher-ng + +sed -i '/^# bindadress.*/a 0.0.0.0 8080 127.0.0.1 3142' /etc/rinetd.conf +sed -i '/^# bindadress.*/a 0.0.0.0 80 127.0.0.1 3142' /etc/rinetd.conf +systemctl restart rinetd + +echo "Acquire::http { Proxy \"http://127.0.0.1\"; };" > /etc/apt/apt.conf.d/02proxy + +if [ -f "/etc/iptables/rules.v4" ]; then + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4 + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4 + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # apt-cacher-ng' /etc/iptables/rules.v4 + iptables-restore /etc/iptables/rules.v4 +fi diff --git a/debian-11/apps/bind9/bind9.sh b/debian-11/apps/bind9/bind9.sh new file mode 100644 index 0000000..6a1bbc6 --- /dev/null +++ b/debian-11/apps/bind9/bind9.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +apt install -y bind9 + +if [ -f "/etc/iptables/rules.v4" ]; then + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4 + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4 + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # DNS' /etc/iptables/rules.v4 + iptables-restore /etc/iptables/rules.v4 +fi diff --git a/debian-11/apps/docker/docker.sh b/debian-11/apps/docker/docker.sh new file mode 100644 index 0000000..3c21fd5 --- /dev/null +++ b/debian-11/apps/docker/docker.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +swapoff -a +sed -i "/swap/d" /etc/fstab + +apt remove -y iptables-persistent +apt autoremove -y +apt install -y ca-certificates curl gnupg lsb-release + +curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg +echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian bullseye stable" > /etc/apt/sources.list.d/docker.list + +sysctl -w net/netfilter/nf_conntrack_max=131072 + +apt update +apt dist-upgrade +apt install -y docker-ce +apt install -y docker-compose + +systemctl enable docker.service +systemctl start docker.service + +sleep 3 diff --git a/debian-11/apps/dokuwiki/dokuwiki.sh b/debian-11/apps/dokuwiki/dokuwiki.sh new file mode 100644 index 0000000..f08c04d --- /dev/null +++ b/debian-11/apps/dokuwiki/dokuwiki.sh @@ -0,0 +1,64 @@ +#!/bin/bash + +apt install -y php libapache2-mod-php php-xml + +a2dissite 000-default +a2dissite default-ssl.conf +a2enmod ssl + +mkdir /opt/dokuwiki +mkdir /var/www/dokuwiki + +wget -O dokuwiki.tgz https://download.dokuwiki.org/src/dokuwiki/dokuwiki-rc.tgz + +mkdir tmp-dokuwiki + +tar xzvf dokuwiki.tgz -C ./tmp-dokuwiki/ + +mv ./tmp-dokuwiki/*/* /var/www/dokuwiki +mv ./tmp-dokuwiki/*/.* /var/www/dokuwiki +mv /var/www/dokuwiki/data /opt/dokuwiki/ + +rm -R ./tmp-dokuwiki + +cp /var/www/dokuwiki/conf/local.php.dist /var/www/dokuwiki/conf/local.php +cp /var/www/dokuwiki/conf/acl.auth.php.dist /var/www/dokuwiki/conf/acl.auth.php +cp /var/www/dokuwiki/conf/users.auth.php.dist /var/www/dokuwiki/conf/users.auth.php + +chown -R www-data:www-data /opt/dokuwiki +chown -R www-data:www-data /var/www/dokuwiki + +sed -i 's|./data|/opt/dokuwiki/data|g' /var/www/dokuwiki/conf/dokuwiki.php +echo "\$conf['useacl'] = 1;" >> /var/www/dokuwiki/conf/local.php +echo "\$conf['superuser'] = '@admin';" >> /var/www/dokuwiki/conf/local.php +echo "$(echo "admin" | htpasswd -n -i -B admin):admin:admin@local.lan:admin" >> /var/www/dokuwiki/conf/users.auth.php + +cat > /etc/apache2/sites-available/dokuwiki.conf << "EOF" + + + ServerAdmin webmaster@localhost + DocumentRoot /var/www/dokuwiki + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + SSLEngine on + SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem + SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + + + +EOF + +systemctl reload apache2 +a2ensite dokuwiki +systemctl restart apache2 + +if [ -f "/etc/iptables/rules.v4" ]; then + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4 + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # Matomo' /etc/iptables/rules.v4 + iptables-restore /etc/iptables/rules.v4 +fi diff --git a/debian-11/apps/iperf3/iperf3.sh b/debian-11/apps/iperf3/iperf3.sh new file mode 100644 index 0000000..78ee00e --- /dev/null +++ b/debian-11/apps/iperf3/iperf3.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +apt install -y iperf3 + +if [ -f "/etc/iptables/rules.v4" ]; then + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p udp -m udp --dport 5201 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4 + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 5201 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4 + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # IPERF' /etc/iptables/rules.v4 + iptables-restore /etc/iptables/rules.v4 +fi diff --git a/debian-11/apps/matomo/matomo.sh b/debian-11/apps/matomo/matomo.sh new file mode 100644 index 0000000..4ff4084 --- /dev/null +++ b/debian-11/apps/matomo/matomo.sh @@ -0,0 +1,52 @@ +#!/bin/bash + +apt install -y mariadb-server apache2 unzip +apt install -y php7.4 php7.4-gd php7.4-mbstring php7.4-mysql php7.4-opcache php7.4-readline php7.4-xml php-geoip +# apt install php php-curl php-gd php-cli php-mysql php-xml php-mbstring + +DBNAME=$(whiptail --title "DB" --inputbox "DB Name :" 0 30 "matomo" 3>&1 1>&2 2>&3) +DBUSER=$(whiptail --title "DB" --inputbox "DB User :" 0 30 "matomo" 3>&1 1>&2 2>&3) +DBPASS=$(whiptail --title "DB" --inputbox "DB Pass :" 0 30 "matomo" 3>&1 1>&2 2>&3) +mysql -e "CREATE DATABASE ${DBNAME};CREATE USER '${DBUSER}'@'localhost' IDENTIFIED BY '${DBPASS}';GRANT ALL ON ${DBNAME}.* TO '${DBUSER}'@'localhost' WITH GRANT OPTION;FLUSH PRIVILEGES;" + +a2dissite 000-default +a2dissite default-ssl.conf +a2enmod ssl + +mkdir matomo +cd matomo +wget https://builds.matomo.org/matomo.zip && unzip matomo.zip +mv matomo /var/www +chown -R www-data:www-data /var/www/matomo +cd .. +rm -R matomo + +cat > /etc/apache2/sites-available/matomo.conf << "EOF" + + + ServerAdmin webmaster@localhost + DocumentRoot /var/www/matomo + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + SSLEngine on + SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem + SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + + + +EOF + +systemctl reload apache2 +a2ensite matomo +systemctl restart apache2 + +if [ -f "/etc/iptables/rules.v4" ]; then + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4 + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # Matomo' /etc/iptables/rules.v4 + iptables-restore /etc/iptables/rules.v4 +fi diff --git a/debian-11/apps/mongodb-4.4/mongodb-4.4.sh b/debian-11/apps/mongodb-4.4/mongodb-4.4.sh new file mode 100644 index 0000000..a02768e --- /dev/null +++ b/debian-11/apps/mongodb-4.4/mongodb-4.4.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +wget -qO - https://www.mongodb.org/static/pgp/server-4.4.asc | apt-key add - +echo "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/4.4 main"> /etc/apt/sources.list.d/mongodb-org-4.4.list +apt update +apt install -y mongodb-org + +DBPATH=/srv/mongodb +mkdir -p ${DBPATH} +chown mongodb:mongodb ${DBPATH} +chmod 700 ${DBPATH} +sed -i "/dbPath/c\ dbPath: ${DBPATH}" /etc/mongod.conf + +systemctl enable mongod.service +systemctl restart mongod.service diff --git a/debian-11/apps/mongodb-5.0/mongodb-5.0.sh b/debian-11/apps/mongodb-5.0/mongodb-5.0.sh new file mode 100644 index 0000000..d7dec80 --- /dev/null +++ b/debian-11/apps/mongodb-5.0/mongodb-5.0.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +wget -qO - https://www.mongodb.org/static/pgp/server-5.0.asc | apt-key add - +echo "deb http://repo.mongodb.org/apt/debian bullseye/mongodb-org/5.0 main"> /etc/apt/sources.list.d/mongodb-org-5.0.list +apt update +apt install -y mongodb-org + +DBPATH=/srv/mongodb +mkdir -p ${DBPATH} +chown mongodb:mongodb ${DBPATH} +chmod 700 ${DBPATH} +sed -i "/dbPath/c\ dbPath: ${DBPATH}" /etc/mongod.conf + +systemctl enable mongod.service +systemctl restart mongod.service diff --git a/debian-11/apps/mongodb-6.0/mongodb-6.0.sh b/debian-11/apps/mongodb-6.0/mongodb-6.0.sh new file mode 100644 index 0000000..831c0e7 --- /dev/null +++ b/debian-11/apps/mongodb-6.0/mongodb-6.0.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +wget -qO - https://www.mongodb.org/static/pgp/server-6.0.asc | apt-key add - +echo "deb http://repo.mongodb.org/apt/debian bullseye/mongodb-org/6.0 main" > /etc/apt/sources.list.d/mongodb-org-6.0.list +apt update +apt install -y mongodb-org + +DBPATH=/srv/mongodb +mkdir -p ${DBPATH} +chown mongodb:mongodb ${DBPATH} +chmod 700 ${DBPATH} +sed -i "/dbPath/c\ dbPath: ${DBPATH}" /etc/mongod.conf + +systemctl enable mongod.service +systemctl restart mongod.service diff --git a/debian-11/apps/nagios-pnp4/nagios-pnp4.sh b/debian-11/apps/nagios-pnp4/nagios-pnp4.sh new file mode 100644 index 0000000..373f75a --- /dev/null +++ b/debian-11/apps/nagios-pnp4/nagios-pnp4.sh @@ -0,0 +1,109 @@ +#!/bin/bash + +apt -y install rrdtool librrds-perl php-gd php-xml gcc make + +cd +wget -O pnp4nagios.tar.gz https://github.com/lingej/pnp4nagios/archive/refs/tags/0.6.26.tar.gz +tar xzf pnp4nagios.tar.gz +cd pnp4nagios-0.* +./configure +make all +make install +make install-webconf +make install-config +make install-init +cd + +cat > /etc/apache2/sites-available/pnp4nagios.conf << EOF +Alias /pnp4nagios "/usr/local/pnp4nagios/share" + + + AllowOverride None + Order allow,deny + Allow from all + AuthDigestDomain "Nagios4" + AuthDigestProvider file + AuthUserFile "/etc/nagios4/htdigest.users" + AuthGroupFile "/etc/group" + AuthName "Nagios4" + AuthType Digest + Require valid-user + + RewriteEngine On + Options symLinksIfOwnerMatch + RewriteBase /pnp4nagios/ + RewriteRule "^(?:application|modules|system)/" - [F] + RewriteCond "%{REQUEST_FILENAME}" !-f + RewriteCond "%{REQUEST_FILENAME}" !-d + RewriteRule "^.*$" "index.php/\$0" [PT] + + +EOF + +systemctl daemon-reload +systemctl enable npcd +systemctl start npcd +systemctl reload apache2 +a2ensite pnp4nagios.conf +systemctl restart apache2 + +sed -i 's/process_performance_data=0/process_performance_data=1/g' /etc/nagios4/nagios.cfg +sed -i 's/#host_perfdata_file=/host_perfdata_file=/g' /etc/nagios4/nagios.cfg +sed -i 's/^host_perfdata_file=.*/host_perfdata_file=\/usr\/local\/pnp4nagios\/var\/service-perfdata/g' /etc/nagios4/nagios.cfg +sed -i 's/^#host_perfdata_file_template=.*/host_perfdata_file_template=DATATYPE::HOSTPERFDATA\\tTIMET::$TIMET$\\tHOSTNAME::$HOSTNAME$\\tHOSTPERFDATA::$HOSTPERFDATA$\\tHOSTCHECKCOMMAND::$HOSTCHECKCOMMAND$\\tHOSTSTATE::$HOSTSTATE$\\tHOSTSTATETYPE::$HOSTSTATETYPE$/g' /etc/nagios4/nagios.cfg +sed -i 's/#host_perfdata_file_mode=/host_perfdata_file_mode=/g' /etc/nagios4/nagios.cfg +sed -i 's/^#host_perfdata_file_processing_interval=.*/host_perfdata_file_processing_interval=15/g' /etc/nagios4/nagios.cfg +sed -i 's/^#host_perfdata_file_processing_command=.*/host_perfdata_file_processing_command=process-host-perfdata-file-bulk-npcd/g' /etc/nagios4/nagios.cfg +sed -i 's/#service_perfdata_file=/service_perfdata_file=/g' /etc/nagios4/nagios.cfg +sed -i 's/^service_perfdata_file=.*/service_perfdata_file=\/usr\/local\/pnp4nagios\/var\/service-perfdata/g' /etc/nagios4/nagios.cfg +sed -i 's/^#service_perfdata_file_template=.*/service_perfdata_file_template=DATATYPE::SERVICEPERFDATA\\tTIMET::$TIMET$\\tHOSTNAME::$HOSTNAME$\\tSERVICEDESC::$SERVICEDESC$\\tSERVICEPERFDATA::$SERVICEPERFDATA$\\tSERVICECHECKCOMMAND::$SERVICECHECKCOMMAND$\\tHOSTSTATE::$HOSTSTATE$\\tHOSTSTATETYPE::$HOSTSTATETYPE$\\tSERVICESTATE::$SERVICESTATE$\\tSERVICESTATETYPE::$SERVICESTATETYPE$/g' /etc/nagios4/nagios.cfg +sed -i 's/#service_perfdata_file_mode=/service_perfdata_file_mode=/g' /etc/nagios4/nagios.cfg +sed -i 's/^#service_perfdata_file_processing_interval=.*/service_perfdata_file_processing_interval=15/g' /etc/nagios4/nagios.cfg +sed -i 's/^#service_perfdata_file_processing_command=.*/service_perfdata_file_processing_command=process-service-perfdata-file-bulk-npcd/g' /etc/nagios4/nagios.cfg + +echo '' >> /etc/nagios4/objects/commands.cfg +echo 'define command {' >> /etc/nagios4/objects/commands.cfg +echo ' command_name process-host-perfdata-file-bulk-npcd' >> /etc/nagios4/objects/commands.cfg +echo ' command_line /bin/mv /usr/local/pnp4nagios/var/host-perfdata /usr/local/pnp4nagios/var/spool/host-perfdata.$TIMET$' >> /etc/nagios4/objects/commands.cfg +echo ' }' >> /etc/nagios4/objects/commands.cfg +echo '' >> /etc/nagios4/objects/commands.cfg +echo 'define command {' >> /etc/nagios4/objects/commands.cfg +echo ' command_name process-service-perfdata-file-bulk-npcd' >> /etc/nagios4/objects/commands.cfg +echo ' command_line /bin/mv /usr/local/pnp4nagios/var/service-perfdata /usr/local/pnp4nagios/var/spool/service-perfdata.$TIMET$' >> /etc/nagios4/objects/commands.cfg +echo ' }' >> /etc/nagios4/objects/commands.cfg +echo '' >> /etc/nagios4/objects/commands.cfg + +rm -f /usr/local/pnp4nagios/share/install.php + +echo '' >> /etc/nagios4/objects/templates.cfg +echo 'define host {' >> /etc/nagios4/objects/templates.cfg +echo ' name host-pnp' >> /etc/nagios4/objects/templates.cfg +echo ' action_url /pnp4nagios/index.php/graph?host=$HOSTNAME$&srv=_HOST_' >> /etc/nagios4/objects/templates.cfg +echo ' register 0' >> /etc/nagios4/objects/templates.cfg +echo '}' >> /etc/nagios4/objects/templates.cfg +echo '' >> /etc/nagios4/objects/templates.cfg +echo 'define service {' >> /etc/nagios4/objects/templates.cfg +echo ' name service-pnp' >> /etc/nagios4/objects/templates.cfg +echo ' action_url /pnp4nagios/index.php/graph?host=$HOSTNAME$&srv=$SERVICEDESC$' >> /etc/nagios4/objects/templates.cfg +echo ' register 0' >> /etc/nagios4/objects/templates.cfg +echo '}' >> /etc/nagios4/objects/templates.cfg +echo '' >> /etc/nagios4/objects/templates.cfg + +sed -i '/name.*generic-host/a\ use host-pnp' /etc/nagios4/objects/templates.cfg +sed -i '/name.*generic-service/a\ use service-pnp' /etc/nagios4/objects/templates.cfg + + +# Patch 1 +wget https://patch-diff.githubusercontent.com/raw/lingej/pnp4nagios/pull/168.diff +wget https://patch-diff.githubusercontent.com/raw/lingej/pnp4nagios/pull/169.diff +patch /usr/local/pnp4nagios/lib/kohana/system/libraries/Input.php 168.diff +patch /usr/local/pnp4nagios/lib/kohana/system/libraries/Input.php 169.diff +rm 168.diff +rm 169.diff + +# Patch 2 +sed -i 's/if(sizeof($pages) > 0 ){/if(is_array($pages)\&\&sizeof($pages) > 0){/' /usr/local/pnp4nagios/share/application/models/data.php + + +systemctl restart apache2 +systemctl restart nagios4 diff --git a/debian-11/apps/nagios/nagios.sh b/debian-11/apps/nagios/nagios.sh new file mode 100644 index 0000000..5be6340 --- /dev/null +++ b/debian-11/apps/nagios/nagios.sh @@ -0,0 +1,71 @@ +#!/bin/bash + +sed -i 's/main/main non-free/' /etc/apt/sources.list +apt update +apt -y install nagios4 snmp-mibs-downloader + +chmod u+s /bin/ping + +a2dissite 000-default.conf +a2disconf nagios4-cgi +a2enmod rewrite cgi ssl + +echo "" +echo "Set nagiosadmin password :" +while : +do + htdigest -c /etc/nagios4/htdigest.users Nagios4 nagiosadmin + if [ ${?} == 0 ]; then break; fi +done + +cat > /etc/apache2/sites-available/nagios.conf << "EOF" + + + ServerAdmin webmaster@localhost + DocumentRoot /usr/share/nagios4/htdocs + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + SSLEngine on + SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem + SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key + + ScriptAlias /cgi-bin/nagios4 /usr/lib/cgi-bin/nagios4 + ScriptAlias /nagios4/cgi-bin /usr/lib/cgi-bin/nagios4 + ScriptAlias /cgi-bin /usr/lib/cgi-bin/nagios4 + Alias /stylesheets /etc/nagios4/stylesheets + Alias /nagios4/stylesheets /etc/nagios4/stylesheets + Alias /nagios4 /usr/share/nagios4/htdocs + + Options FollowSymLinks + DirectoryIndex index.php index.html + # AllowOverride AuthConfig + # Require ip ::1/128 fc00::/7 fe80::/10 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.168.0.0/16 + AuthDigestDomain "Nagios4" + AuthDigestProvider file + AuthUserFile "/etc/nagios4/htdigest.users" + AuthGroupFile "/etc/group" + AuthName "Nagios4" + AuthType Digest + Require valid-user + + + Options +ExecCGI + + + +EOF + +systemctl reload apache2 +a2ensite nagios +systemctl restart apache2 + +sed -i s/use_authentication=0/use_authentication=1/ /etc/nagios4/cgi.cfg + +systemctl enable nagios4 +systemctl start nagios4 + +if [ -f "/etc/iptables/rules.v4" ]; then + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4 + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # Apache' /etc/iptables/rules.v4 + iptables-restore /etc/iptables/rules.v4 +fi diff --git a/debian-11/apps/nextcloud-23/nextcloud-23.sh b/debian-11/apps/nextcloud-23/nextcloud-23.sh new file mode 100644 index 0000000..6a87eb3 --- /dev/null +++ b/debian-11/apps/nextcloud-23/nextcloud-23.sh @@ -0,0 +1,112 @@ +#!/bin/bash + +# https://docs.nextcloud.com/server/latest/admin_manual/installation/source_installation.html + +IPV4=$(ip addr | grep 'inet ' | grep -v '127.0' | head -n1 | awk '{print $2}' | cut -f1 -d /) +DBNAME=$(whiptail --title "DB" --inputbox "DB Name :" 0 30 "nextcloud" 3>&1 1>&2 2>&3) +DBUSER=$(whiptail --title "DB" --inputbox "DB User :" 0 30 "nextcloud" 3>&1 1>&2 2>&3) +DBPASS=$(whiptail --title "DB" --inputbox "DB Pass :" 0 30 "nextcloud" 3>&1 1>&2 2>&3) +DATAPATH=$(whiptail --title "DATA" --inputbox "DATA Path :" 0 30 "/srv/nextcloud/data" 3>&1 1>&2 2>&3) +NCUSER=$(whiptail --title "NextCloud" --inputbox "Admin Name :" 0 30 "admin" 3>&1 1>&2 2>&3) +NCPASS=$(whiptail --title "NextCloud" --inputbox "Admin Pass :" 0 30 "admin" 3>&1 1>&2 2>&3) + + +apt install -y sudo apache2 coturn +apt install -y php7.4 php7.4-curl php7.4-gd php7.4-mbstring php7.4-zip php-xml php-bz2 php7.4-intl php7.4-fpm php-apcu php-memcached php-redis php-imagick php7.4-bcmath php7.4-gmp libapache2-mod-php7.4 +apt install -y php7.4-mysql mariadb-server +apt install -y smbclient ffmpeg libmagickcore-6.q16-6-extra + +a2dissite 000-default +a2dissite default-ssl.conf +a2enmod rewrite +a2enmod headers +a2enmod env +a2enmod dir +a2enmod mime +a2enmod ssl + +sed -i "s/memory_limit =.*/memory_limit = 512M/g" /etc/php/7.4/apache2/php.ini +sed -i "s/memory_limit =.*/memory_limit = 512M/g" /etc/php/7.4/fpm/php.ini +sed -i "s/memory_limit =.*/memory_limit = 512M/g" /etc/php/7.4/cli/php.ini +echo "apc.enable_cli=1" >> /etc/php/7.4/cli/php.ini + +mysql -e "CREATE DATABASE ${DBNAME};CREATE USER '${DBUSER}'@'localhost' IDENTIFIED BY '${DBPASS}';GRANT ALL ON ${DBNAME}.* TO '${DBUSER}'@'localhost' WITH GRANT OPTION;FLUSH PRIVILEGES;" + +wget https://download.nextcloud.com/server/releases/latest-23.tar.bz2 +tar -xvf latest-23.tar.bz2 +mv nextcloud /var/www +chown -R www-data:www-data /var/www/nextcloud +mkdir -p ${DATAPATH} +chown -R www-data:www-data ${DATAPATH} + +cat > /etc/apache2/sites-available/nextcloud.conf << "EOF" + + Protocols h2 http:/1.1 + DocumentRoot "/var/www/nextcloud" + #ServerName nextcloud.your-domain.com + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains" + SSLEngine on + SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem + SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key + SSLCertificateChainFile /etc/ssl/certs/ssl-cert-snakeoil.pem + SSLProtocol TLSv1.2 + + + Options +FollowSymlinks + AllowOverride All + + Dav off + + SetEnv HOME /var/www/nextcloud + SetEnv HTTP_HOME /var/www/nextcloud + Satisfy Any + + + +EOF + +a2ensite nextcloud +systemctl restart apache2 + +cd /var/www/nextcloud/ +sudo -u www-data php occ maintenance:install \ + --database "mysql" \ + --database-name "${DBNAME}" \ + --database-user "${DBUSER}" \ + --database-pass "${DBPASS}" \ + --admin-user "${NCUSER}" \ + --admin-pass "${NCPASS}" \ + --data-dir "${DATAPATH}" +sed -i "s/0 => 'localhost/0 => '${IPV4}/" /var/www/nextcloud/config/config.php +sed -i "s/\/\/localhost/\/\/${IPV4}/" /var/www/nextcloud/config/config.php +sed -i "s/http:/https:/" /var/www/nextcloud/config/config.php +sed -i "/^);*/i\ \ 'memcache.local' => '\\\\OC\\\\Memcache\\\\APCu'," /var/www/nextcloud/config/config.php +sed -i "/^);*/i\ \ 'default_phone_region' => 'CH'," /var/www/nextcloud/config/config.php +echo "*/5 * * * * php -f /var/www/nextcloud/cron.php" | crontab -u www-data - +sudo -u www-data php occ background:cron + +cat >> /etc/turnserver.conf << "EOF" +listening-port=8080 +listening-ip=0.0.0.0 +fingerprint +use-auth-secret +static-auth-secret=AUTHSECRET +# realm=nextcloud.dom.lan +total-quota=0 +bps-capacity=0 +stale-nonce +no-multicast-peers +EOF +AUTHSECRET=$(openssl rand -hex 32) +sed "s/AUTHSECRET/${AUTHSECRET}/" turnserver.conf + +if [ -f "/etc/iptables/rules.v4" ]; then + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4 + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # NextCloud' /etc/iptables/rules.v4 + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4 + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p udp -m udp --dport 8080 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4 + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # TurnServer' /etc/iptables/rules.v4 + iptables-restore /etc/iptables/rules.v4 +fi diff --git a/debian-11/apps/nextcloud-24/nextcloud-24.sh b/debian-11/apps/nextcloud-24/nextcloud-24.sh new file mode 100644 index 0000000..8e0831b --- /dev/null +++ b/debian-11/apps/nextcloud-24/nextcloud-24.sh @@ -0,0 +1,112 @@ +#!/bin/bash + +# https://docs.nextcloud.com/server/latest/admin_manual/installation/source_installation.html + +IPV4=$(ip addr | grep 'inet ' | grep -v '127.0' | head -n1 | awk '{print $2}' | cut -f1 -d /) +DBNAME=$(whiptail --title "DB" --inputbox "DB Name :" 0 30 "nextcloud" 3>&1 1>&2 2>&3) +DBUSER=$(whiptail --title "DB" --inputbox "DB User :" 0 30 "nextcloud" 3>&1 1>&2 2>&3) +DBPASS=$(whiptail --title "DB" --inputbox "DB Pass :" 0 30 "nextcloud" 3>&1 1>&2 2>&3) +DATAPATH=$(whiptail --title "DATA" --inputbox "DATA Path :" 0 30 "/srv/nextcloud/data" 3>&1 1>&2 2>&3) +NCUSER=$(whiptail --title "NextCloud" --inputbox "Admin Name :" 0 30 "admin" 3>&1 1>&2 2>&3) +NCPASS=$(whiptail --title "NextCloud" --inputbox "Admin Pass :" 0 30 "admin" 3>&1 1>&2 2>&3) + + +apt install -y sudo apache2 coturn +apt install -y php7.4 php7.4-curl php7.4-gd php7.4-mbstring php7.4-zip php-xml php-bz2 php7.4-intl php7.4-fpm php-apcu php-memcached php-redis php-imagick php7.4-bcmath php7.4-gmp libapache2-mod-php7.4 +apt install -y php7.4-mysql mariadb-server +apt install -y smbclient ffmpeg libmagickcore-6.q16-6-extra + +a2dissite 000-default +a2dissite default-ssl.conf +a2enmod rewrite +a2enmod headers +a2enmod env +a2enmod dir +a2enmod mime +a2enmod ssl + +sed -i "s/memory_limit =.*/memory_limit = 512M/g" /etc/php/7.4/apache2/php.ini +sed -i "s/memory_limit =.*/memory_limit = 512M/g" /etc/php/7.4/fpm/php.ini +sed -i "s/memory_limit =.*/memory_limit = 512M/g" /etc/php/7.4/cli/php.ini +echo "apc.enable_cli=1" >> /etc/php/7.4/cli/php.ini + +mysql -e "CREATE DATABASE ${DBNAME};CREATE USER '${DBUSER}'@'localhost' IDENTIFIED BY '${DBPASS}';GRANT ALL ON ${DBNAME}.* TO '${DBUSER}'@'localhost' WITH GRANT OPTION;FLUSH PRIVILEGES;" + +wget https://download.nextcloud.com/server/releases/latest-24.tar.bz2 +tar -xvf latest-24.tar.bz2 +mv nextcloud /var/www +chown -R www-data:www-data /var/www/nextcloud +mkdir -p ${DATAPATH} +chown -R www-data:www-data ${DATAPATH} + +cat > /etc/apache2/sites-available/nextcloud.conf << "EOF" + + Protocols h2 http:/1.1 + DocumentRoot "/var/www/nextcloud" + #ServerName nextcloud.your-domain.com + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains" + SSLEngine on + SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem + SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key + SSLCertificateChainFile /etc/ssl/certs/ssl-cert-snakeoil.pem + SSLProtocol TLSv1.2 + + + Options +FollowSymlinks + AllowOverride All + + Dav off + + SetEnv HOME /var/www/nextcloud + SetEnv HTTP_HOME /var/www/nextcloud + Satisfy Any + + + +EOF + +a2ensite nextcloud +systemctl restart apache2 + +cd /var/www/nextcloud/ +sudo -u www-data php occ maintenance:install \ + --database "mysql" \ + --database-name "${DBNAME}" \ + --database-user "${DBUSER}" \ + --database-pass "${DBPASS}" \ + --admin-user "${NCUSER}" \ + --admin-pass "${NCPASS}" \ + --data-dir "${DATAPATH}" +sed -i "s/0 => 'localhost/0 => '${IPV4}/" /var/www/nextcloud/config/config.php +sed -i "s/\/\/localhost/\/\/${IPV4}/" /var/www/nextcloud/config/config.php +sed -i "s/http:/https:/" /var/www/nextcloud/config/config.php +sed -i "/^);*/i\ \ 'memcache.local' => '\\\\OC\\\\Memcache\\\\APCu'," /var/www/nextcloud/config/config.php +sed -i "/^);*/i\ \ 'default_phone_region' => 'CH'," /var/www/nextcloud/config/config.php +echo "*/5 * * * * php -f /var/www/nextcloud/cron.php" | crontab -u www-data - +sudo -u www-data php occ background:cron + +cat >> /etc/turnserver.conf << "EOF" +listening-port=8080 +listening-ip=0.0.0.0 +fingerprint +use-auth-secret +static-auth-secret=AUTHSECRET +# realm=nextcloud.dom.lan +total-quota=0 +bps-capacity=0 +stale-nonce +no-multicast-peers +EOF +AUTHSECRET=$(openssl rand -hex 32) +sed "s/AUTHSECRET/${AUTHSECRET}/" turnserver.conf + +if [ -f "/etc/iptables/rules.v4" ]; then + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4 + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # NextCloud' /etc/iptables/rules.v4 + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4 + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p udp -m udp --dport 8080 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4 + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # TurnServer' /etc/iptables/rules.v4 + iptables-restore /etc/iptables/rules.v4 +fi diff --git a/debian-11/apps/nextcloud-25/nextcloud-25.sh b/debian-11/apps/nextcloud-25/nextcloud-25.sh new file mode 100644 index 0000000..cce9e46 --- /dev/null +++ b/debian-11/apps/nextcloud-25/nextcloud-25.sh @@ -0,0 +1,112 @@ +#!/bin/bash + +# https://docs.nextcloud.com/server/latest/admin_manual/installation/source_installation.html + +IPV4=$(ip addr | grep 'inet ' | grep -v '127.0' | head -n1 | awk '{print $2}' | cut -f1 -d /) +DBNAME=$(whiptail --title "DB" --inputbox "DB Name :" 0 30 "nextcloud" 3>&1 1>&2 2>&3) +DBUSER=$(whiptail --title "DB" --inputbox "DB User :" 0 30 "nextcloud" 3>&1 1>&2 2>&3) +DBPASS=$(whiptail --title "DB" --inputbox "DB Pass :" 0 30 "nextcloud" 3>&1 1>&2 2>&3) +DATAPATH=$(whiptail --title "DATA" --inputbox "DATA Path :" 0 30 "/srv/nextcloud/data" 3>&1 1>&2 2>&3) +NCUSER=$(whiptail --title "NextCloud" --inputbox "Admin Name :" 0 30 "admin" 3>&1 1>&2 2>&3) +NCPASS=$(whiptail --title "NextCloud" --inputbox "Admin Pass :" 0 30 "admin" 3>&1 1>&2 2>&3) + + +apt install -y sudo apache2 coturn +apt install -y php7.4 php7.4-curl php7.4-gd php7.4-mbstring php7.4-zip php-xml php-bz2 php7.4-intl php7.4-fpm php-apcu php-memcached php-redis php-imagick php7.4-bcmath php7.4-gmp libapache2-mod-php7.4 +apt install -y php7.4-mysql mariadb-server +apt install -y smbclient ffmpeg libmagickcore-6.q16-6-extra + +a2dissite 000-default +a2dissite default-ssl.conf +a2enmod rewrite +a2enmod headers +a2enmod env +a2enmod dir +a2enmod mime +a2enmod ssl + +sed -i "s/memory_limit =.*/memory_limit = 512M/g" /etc/php/7.4/apache2/php.ini +sed -i "s/memory_limit =.*/memory_limit = 512M/g" /etc/php/7.4/fpm/php.ini +sed -i "s/memory_limit =.*/memory_limit = 512M/g" /etc/php/7.4/cli/php.ini +echo "apc.enable_cli=1" >> /etc/php/7.4/cli/php.ini + +mysql -e "CREATE DATABASE ${DBNAME};CREATE USER '${DBUSER}'@'localhost' IDENTIFIED BY '${DBPASS}';GRANT ALL ON ${DBNAME}.* TO '${DBUSER}'@'localhost' WITH GRANT OPTION;FLUSH PRIVILEGES;" + +wget https://download.nextcloud.com/server/releases/latest-25.tar.bz2 +tar -xvf latest-25.tar.bz2 +mv nextcloud /var/www +chown -R www-data:www-data /var/www/nextcloud +mkdir -p ${DATAPATH} +chown -R www-data:www-data ${DATAPATH} + +cat > /etc/apache2/sites-available/nextcloud.conf << "EOF" + + Protocols h2 http:/1.1 + DocumentRoot "/var/www/nextcloud" + #ServerName nextcloud.your-domain.com + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains" + SSLEngine on + SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem + SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key + SSLCertificateChainFile /etc/ssl/certs/ssl-cert-snakeoil.pem + SSLProtocol TLSv1.2 + + + Options +FollowSymlinks + AllowOverride All + + Dav off + + SetEnv HOME /var/www/nextcloud + SetEnv HTTP_HOME /var/www/nextcloud + Satisfy Any + + + +EOF + +a2ensite nextcloud +systemctl restart apache2 + +cd /var/www/nextcloud/ +sudo -u www-data php occ maintenance:install \ + --database "mysql" \ + --database-name "${DBNAME}" \ + --database-user "${DBUSER}" \ + --database-pass "${DBPASS}" \ + --admin-user "${NCUSER}" \ + --admin-pass "${NCPASS}" \ + --data-dir "${DATAPATH}" +sed -i "s/0 => 'localhost/0 => '${IPV4}/" /var/www/nextcloud/config/config.php +sed -i "s/\/\/localhost/\/\/${IPV4}/" /var/www/nextcloud/config/config.php +sed -i "s/http:/https:/" /var/www/nextcloud/config/config.php +sed -i "/^);*/i\ \ 'memcache.local' => '\\\\OC\\\\Memcache\\\\APCu'," /var/www/nextcloud/config/config.php +sed -i "/^);*/i\ \ 'default_phone_region' => 'CH'," /var/www/nextcloud/config/config.php +echo "*/5 * * * * php -f /var/www/nextcloud/cron.php" | crontab -u www-data - +sudo -u www-data php occ background:cron + +cat >> /etc/turnserver.conf << "EOF" +listening-port=8080 +listening-ip=0.0.0.0 +fingerprint +use-auth-secret +static-auth-secret=AUTHSECRET +# realm=nextcloud.dom.lan +total-quota=0 +bps-capacity=0 +stale-nonce +no-multicast-peers +EOF +AUTHSECRET=$(openssl rand -hex 32) +sed "s/AUTHSECRET/${AUTHSECRET}/" turnserver.conf + +if [ -f "/etc/iptables/rules.v4" ]; then + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4 + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # NextCloud' /etc/iptables/rules.v4 + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4 + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p udp -m udp --dport 8080 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4 + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # TurnServer' /etc/iptables/rules.v4 + iptables-restore /etc/iptables/rules.v4 +fi diff --git a/debian-11/apps/nextcloud-26/nextcloud-26.sh b/debian-11/apps/nextcloud-26/nextcloud-26.sh new file mode 100644 index 0000000..0947d04 --- /dev/null +++ b/debian-11/apps/nextcloud-26/nextcloud-26.sh @@ -0,0 +1,115 @@ +#!/bin/bash + +# https://docs.nextcloud.com/server/latest/admin_manual/installation/source_installation.html + +IPV4=$(ip addr | grep 'inet ' | grep -v '127.0' | head -n1 | awk '{print $2}' | cut -f1 -d /) +DBNAME=$(whiptail --title "DB" --inputbox "DB Name :" 0 30 "nextcloud" 3>&1 1>&2 2>&3) +DBUSER=$(whiptail --title "DB" --inputbox "DB User :" 0 30 "nextcloud" 3>&1 1>&2 2>&3) +DBPASS=$(whiptail --title "DB" --inputbox "DB Pass :" 0 30 "nextcloud" 3>&1 1>&2 2>&3) +DATAPATH=$(whiptail --title "DATA" --inputbox "DATA Path :" 0 30 "/srv/nextcloud/data" 3>&1 1>&2 2>&3) +NCUSER=$(whiptail --title "NextCloud" --inputbox "Admin Name :" 0 30 "admin" 3>&1 1>&2 2>&3) +NCPASS=$(whiptail --title "NextCloud" --inputbox "Admin Pass :" 0 30 "admin" 3>&1 1>&2 2>&3) + +curl -sSLo /usr/share/keyrings/deb.sury.org-php.gpg https://packages.sury.org/php/apt.gpg +echo "deb [signed-by=/usr/share/keyrings/deb.sury.org-php.gpg] https://packages.sury.org/php/ bullseye main" > /etc/apt/sources.list.d/php-8.1.list +apt update -y + +apt install -y sudo apache2 coturn +apt install -y php8.1 php8.1-curl php8.1-gd php8.1-mbstring php8.1-zip php8.1-xml php8.1-bz2 php8.1-intl php8.1-fpm php8.1-apcu php8.1-memcached php8.1-redis php8.1-imagick php8.1-bcmath php8.1-gmp libapache2-mod-php8.1 +apt install -y php8.1-mysql mariadb-server +apt install -y smbclient ffmpeg libmagickcore-6.q16-6-extra + +a2dissite 000-default +a2dissite default-ssl.conf +a2enmod rewrite +a2enmod headers +a2enmod env +a2enmod dir +a2enmod mime +a2enmod ssl + +sed -i "s/memory_limit =.*/memory_limit = 512M/g" /etc/php/8.1/apache2/php.ini +sed -i "s/memory_limit =.*/memory_limit = 512M/g" /etc/php/8.1/fpm/php.ini +sed -i "s/memory_limit =.*/memory_limit = 512M/g" /etc/php/8.1/cli/php.ini +echo "apc.enable_cli=1" >> /etc/php/8.1/cli/php.ini + +mysql -e "CREATE DATABASE ${DBNAME};CREATE USER '${DBUSER}'@'localhost' IDENTIFIED BY '${DBPASS}';GRANT ALL ON ${DBNAME}.* TO '${DBUSER}'@'localhost' WITH GRANT OPTION;FLUSH PRIVILEGES;" + +wget https://download.nextcloud.com/server/releases/latest-26.tar.bz2 +tar -xvf latest-26.tar.bz2 +mv nextcloud /var/www +chown -R www-data:www-data /var/www/nextcloud +mkdir -p ${DATAPATH} +chown -R www-data:www-data ${DATAPATH} + +cat > /etc/apache2/sites-available/nextcloud.conf << "EOF" + + Protocols h2 http:/1.1 + DocumentRoot "/var/www/nextcloud" + #ServerName nextcloud.your-domain.com + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains" + SSLEngine on + SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem + SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key + SSLCertificateChainFile /etc/ssl/certs/ssl-cert-snakeoil.pem + SSLProtocol TLSv1.2 + + + Options +FollowSymlinks + AllowOverride All + + Dav off + + SetEnv HOME /var/www/nextcloud + SetEnv HTTP_HOME /var/www/nextcloud + Satisfy Any + + + +EOF + +a2ensite nextcloud +systemctl restart apache2 + +cd /var/www/nextcloud/ +sudo -u www-data php occ maintenance:install \ + --database "mysql" \ + --database-name "${DBNAME}" \ + --database-user "${DBUSER}" \ + --database-pass "${DBPASS}" \ + --admin-user "${NCUSER}" \ + --admin-pass "${NCPASS}" \ + --data-dir "${DATAPATH}" +sed -i "s/0 => 'localhost/0 => '${IPV4}/" /var/www/nextcloud/config/config.php +sed -i "s/\/\/localhost/\/\/${IPV4}/" /var/www/nextcloud/config/config.php +sed -i "s/http:/https:/" /var/www/nextcloud/config/config.php +sed -i "/^);*/i\ \ 'memcache.local' => '\\\\OC\\\\Memcache\\\\APCu'," /var/www/nextcloud/config/config.php +sed -i "/^);*/i\ \ 'default_phone_region' => 'CH'," /var/www/nextcloud/config/config.php +echo "*/5 * * * * php -f /var/www/nextcloud/cron.php" | crontab -u www-data - +sudo -u www-data php occ background:cron + +cat >> /etc/turnserver.conf << "EOF" +listening-port=8080 +listening-ip=0.0.0.0 +fingerprint +use-auth-secret +static-auth-secret=AUTHSECRET +# realm=nextcloud.dom.lan +total-quota=0 +bps-capacity=0 +stale-nonce +no-multicast-peers +EOF +AUTHSECRET=$(openssl rand -hex 32) +sed "s/AUTHSECRET/${AUTHSECRET}/" turnserver.conf + +if [ -f "/etc/iptables/rules.v4" ]; then + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4 + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # NextCloud' /etc/iptables/rules.v4 + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4 + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p udp -m udp --dport 8080 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4 + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # TurnServer' /etc/iptables/rules.v4 + iptables-restore /etc/iptables/rules.v4 +fi diff --git a/debian-11/apps/nextcloud-latest/nextcloud-latest.sh b/debian-11/apps/nextcloud-latest/nextcloud-latest.sh new file mode 100644 index 0000000..6e20e2f --- /dev/null +++ b/debian-11/apps/nextcloud-latest/nextcloud-latest.sh @@ -0,0 +1,112 @@ +#!/bin/bash + +# https://docs.nextcloud.com/server/latest/admin_manual/installation/source_installation.html + +IPV4=$(ip addr | grep 'inet ' | grep -v '127.0' | head -n1 | awk '{print $2}' | cut -f1 -d /) +DBNAME=$(whiptail --title "DB" --inputbox "DB Name :" 0 30 "nextcloud" 3>&1 1>&2 2>&3) +DBUSER=$(whiptail --title "DB" --inputbox "DB User :" 0 30 "nextcloud" 3>&1 1>&2 2>&3) +DBPASS=$(whiptail --title "DB" --inputbox "DB Pass :" 0 30 "nextcloud" 3>&1 1>&2 2>&3) +DATAPATH=$(whiptail --title "DATA" --inputbox "DATA Path :" 0 30 "/srv/nextcloud/data" 3>&1 1>&2 2>&3) +NCUSER=$(whiptail --title "NextCloud" --inputbox "Admin Name :" 0 30 "admin" 3>&1 1>&2 2>&3) +NCPASS=$(whiptail --title "NextCloud" --inputbox "Admin Pass :" 0 30 "admin" 3>&1 1>&2 2>&3) + + +apt install -y sudo apache2 coturn +apt install -y php7.4 php7.4-curl php7.4-gd php7.4-mbstring php7.4-zip php-xml php-bz2 php7.4-intl php7.4-fpm php-apcu php-memcached php-redis php-imagick php7.4-bcmath php7.4-gmp libapache2-mod-php7.4 +apt install -y php7.4-mysql mariadb-server +apt install -y smbclient ffmpeg libmagickcore-6.q16-6-extra + +a2dissite 000-default +a2dissite default-ssl.conf +a2enmod rewrite +a2enmod headers +a2enmod env +a2enmod dir +a2enmod mime +a2enmod ssl + +sed -i "s/memory_limit =.*/memory_limit = 512M/g" /etc/php/7.4/apache2/php.ini +sed -i "s/memory_limit =.*/memory_limit = 512M/g" /etc/php/7.4/fpm/php.ini +sed -i "s/memory_limit =.*/memory_limit = 512M/g" /etc/php/7.4/cli/php.ini +echo "apc.enable_cli=1" >> /etc/php/7.4/cli/php.ini + +mysql -e "CREATE DATABASE ${DBNAME};CREATE USER '${DBUSER}'@'localhost' IDENTIFIED BY '${DBPASS}';GRANT ALL ON ${DBNAME}.* TO '${DBUSER}'@'localhost' WITH GRANT OPTION;FLUSH PRIVILEGES;" + +wget https://download.nextcloud.com/server/releases/latest.tar.bz2 +tar -xvf latest.tar.bz2 +mv nextcloud /var/www +chown -R www-data:www-data /var/www/nextcloud +mkdir -p ${DATAPATH} +chown -R www-data:www-data ${DATAPATH} + +cat > /etc/apache2/sites-available/nextcloud.conf << "EOF" + + Protocols h2 http:/1.1 + DocumentRoot "/var/www/nextcloud" + #ServerName nextcloud.your-domain.com + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains" + SSLEngine on + SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem + SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key + SSLCertificateChainFile /etc/ssl/certs/ssl-cert-snakeoil.pem + SSLProtocol TLSv1.2 + + + Options +FollowSymlinks + AllowOverride All + + Dav off + + SetEnv HOME /var/www/nextcloud + SetEnv HTTP_HOME /var/www/nextcloud + Satisfy Any + + + +EOF + +a2ensite nextcloud +systemctl restart apache2 + +cd /var/www/nextcloud/ +sudo -u www-data php occ maintenance:install \ + --database "mysql" \ + --database-name "${DBNAME}" \ + --database-user "${DBUSER}" \ + --database-pass "${DBPASS}" \ + --admin-user "${NCUSER}" \ + --admin-pass "${NCPASS}" \ + --data-dir "${DATAPATH}" +sed -i "s/0 => 'localhost/0 => '${IPV4}/" /var/www/nextcloud/config/config.php +sed -i "s/\/\/localhost/\/\/${IPV4}/" /var/www/nextcloud/config/config.php +sed -i "s/http:/https:/" /var/www/nextcloud/config/config.php +sed -i "/^);*/i\ \ 'memcache.local' => '\\\\OC\\\\Memcache\\\\APCu'," /var/www/nextcloud/config/config.php +sed -i "/^);*/i\ \ 'default_phone_region' => 'CH'," /var/www/nextcloud/config/config.php +echo "*/5 * * * * php -f /var/www/nextcloud/cron.php" | crontab -u www-data - +sudo -u www-data php occ background:cron + +cat >> /etc/turnserver.conf << "EOF" +listening-port=8080 +listening-ip=0.0.0.0 +fingerprint +use-auth-secret +static-auth-secret=AUTHSECRET +# realm=nextcloud.dom.lan +total-quota=0 +bps-capacity=0 +stale-nonce +no-multicast-peers +EOF +AUTHSECRET=$(openssl rand -hex 32) +sed "s/AUTHSECRET/${AUTHSECRET}/" turnserver.conf + +if [ -f "/etc/iptables/rules.v4" ]; then + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4 + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # NextCloud' /etc/iptables/rules.v4 + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4 + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p udp -m udp --dport 8080 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4 + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # TurnServer' /etc/iptables/rules.v4 + iptables-restore /etc/iptables/rules.v4 +fi diff --git a/debian-11/apps/nodejs-14/nodejs-14.sh b/debian-11/apps/nodejs-14/nodejs-14.sh new file mode 100644 index 0000000..3220a1e --- /dev/null +++ b/debian-11/apps/nodejs-14/nodejs-14.sh @@ -0,0 +1,43 @@ +#!/bin/bash + +mkdir /srv/node +curl -sL https://deb.nodesource.com/setup_14.x | bash - +apt install -y nodejs +npm i -g nodemon + +cat > /etc/systemd/system/nodejs.service << EOF +[Service] +ExecStart=/usr/bin/node app.js +WorkingDirectory=/srv/node +Restart=always +StandardOutput=syslog +StandardError=syslog +SyslogIdentifier=node +#User=websites +#Group=websites +Environment=NODE_ENV=production + +[Install] +WantedBy=multi-user.target +EOF + +cat > /srv/node/app.js << "EOF" +var http = require('http') + +http.createServer(function (req, res) { + res.writeHead(200, {'Content-Type': 'text/plain'}) + res.write('Hello World!') + res.end() +}).listen(80) +EOF + +systemctl daemon-reload +systemctl enable nodejs.service +systemctl start nodejs.service + +if [ -f "/etc/iptables/rules.v4" ]; then + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4 + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4 + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # NodeJS' /etc/iptables/rules.v4 + iptables-restore /etc/iptables/rules.v4 +fi diff --git a/debian-11/apps/nodejs-16/nodejs-16.sh b/debian-11/apps/nodejs-16/nodejs-16.sh new file mode 100644 index 0000000..0322394 --- /dev/null +++ b/debian-11/apps/nodejs-16/nodejs-16.sh @@ -0,0 +1,43 @@ +#!/bin/bash + +mkdir /srv/node +curl -sL https://deb.nodesource.com/setup_16.x | bash - +apt install -y nodejs +npm i -g nodemon + +cat > /etc/systemd/system/nodejs.service << EOF +[Service] +ExecStart=/usr/bin/node app.js +WorkingDirectory=/srv/node +Restart=always +StandardOutput=syslog +StandardError=syslog +SyslogIdentifier=node +#User=websites +#Group=websites +Environment=NODE_ENV=production + +[Install] +WantedBy=multi-user.target +EOF + +cat > /srv/node/app.js << "EOF" +var http = require('http') + +http.createServer(function (req, res) { + res.writeHead(200, {'Content-Type': 'text/plain'}) + res.write('Hello World!') + res.end() +}).listen(80) +EOF + +systemctl daemon-reload +systemctl enable nodejs.service +systemctl start nodejs.service + +if [ -f "/etc/iptables/rules.v4" ]; then + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4 + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4 + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # NodeJS' /etc/iptables/rules.v4 + iptables-restore /etc/iptables/rules.v4 +fi diff --git a/debian-11/apps/nodejs-18/nodejs-18.sh b/debian-11/apps/nodejs-18/nodejs-18.sh new file mode 100644 index 0000000..fc2d5f4 --- /dev/null +++ b/debian-11/apps/nodejs-18/nodejs-18.sh @@ -0,0 +1,43 @@ +#!/bin/bash + +mkdir /srv/node +curl -sL https://deb.nodesource.com/setup_18.x | bash - +apt install -y nodejs +npm i -g nodemon + +cat > /etc/systemd/system/nodejs.service << EOF +[Service] +ExecStart=/usr/bin/node app.js +WorkingDirectory=/srv/node +Restart=always +StandardOutput=syslog +StandardError=syslog +SyslogIdentifier=node +#User=websites +#Group=websites +Environment=NODE_ENV=production + +[Install] +WantedBy=multi-user.target +EOF + +cat > /srv/node/app.js << "EOF" +var http = require('http') + +http.createServer(function (req, res) { + res.writeHead(200, {'Content-Type': 'text/plain'}) + res.write('Hello World!') + res.end() +}).listen(80) +EOF + +systemctl daemon-reload +systemctl enable nodejs.service +systemctl start nodejs.service + +if [ -f "/etc/iptables/rules.v4" ]; then + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4 + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4 + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # NodeJS' /etc/iptables/rules.v4 + iptables-restore /etc/iptables/rules.v4 +fi diff --git a/debian-11/apps/nodejs-19/nodejs-19.sh b/debian-11/apps/nodejs-19/nodejs-19.sh new file mode 100644 index 0000000..696d317 --- /dev/null +++ b/debian-11/apps/nodejs-19/nodejs-19.sh @@ -0,0 +1,43 @@ +#!/bin/bash + +mkdir /srv/node +curl -sL https://deb.nodesource.com/setup_19.x | bash - +apt install -y nodejs +npm i -g nodemon + +cat > /etc/systemd/system/nodejs.service << EOF +[Service] +ExecStart=/usr/bin/node app.js +WorkingDirectory=/srv/node +Restart=always +StandardOutput=syslog +StandardError=syslog +SyslogIdentifier=node +#User=websites +#Group=websites +Environment=NODE_ENV=production + +[Install] +WantedBy=multi-user.target +EOF + +cat > /srv/node/app.js << "EOF" +var http = require('http') + +http.createServer(function (req, res) { + res.writeHead(200, {'Content-Type': 'text/plain'}) + res.write('Hello World!') + res.end() +}).listen(80) +EOF + +systemctl daemon-reload +systemctl enable nodejs.service +systemctl start nodejs.service + +if [ -f "/etc/iptables/rules.v4" ]; then + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4 + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4 + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # NodeJS' /etc/iptables/rules.v4 + iptables-restore /etc/iptables/rules.v4 +fi diff --git a/debian-11/apps/nodejs-20/nodejs-20.sh b/debian-11/apps/nodejs-20/nodejs-20.sh new file mode 100644 index 0000000..83981eb --- /dev/null +++ b/debian-11/apps/nodejs-20/nodejs-20.sh @@ -0,0 +1,43 @@ +#!/bin/bash + +mkdir /srv/node +curl -sL https://deb.nodesource.com/setup_20.x | bash - +apt install -y nodejs +npm i -g nodemon + +cat > /etc/systemd/system/nodejs.service << EOF +[Service] +ExecStart=/usr/bin/node app.js +WorkingDirectory=/srv/node +Restart=always +StandardOutput=syslog +StandardError=syslog +SyslogIdentifier=node +#User=websites +#Group=websites +Environment=NODE_ENV=production + +[Install] +WantedBy=multi-user.target +EOF + +cat > /srv/node/app.js << "EOF" +var http = require('http') + +http.createServer(function (req, res) { + res.writeHead(200, {'Content-Type': 'text/plain'}) + res.write('Hello World!') + res.end() +}).listen(80) +EOF + +systemctl daemon-reload +systemctl enable nodejs.service +systemctl start nodejs.service + +if [ -f "/etc/iptables/rules.v4" ]; then + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4 + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4 + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # NodeJS' /etc/iptables/rules.v4 + iptables-restore /etc/iptables/rules.v4 +fi diff --git a/debian-11/apps/portainer/portainer.sh b/debian-11/apps/portainer/portainer.sh new file mode 100644 index 0000000..4d151b2 --- /dev/null +++ b/debian-11/apps/portainer/portainer.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +docker run -d --name="portainer" --restart=unless-stopped -p 8000:8000 -p 9000:9000 -p 9443:9443 -v /var/run/docker.sock:/var/run/docker.sock -v /srv/portainer/data:/data portainer/portainer-ce diff --git a/debian-11/apps/proxmox-7/proxmox-7.sh b/debian-11/apps/proxmox-7/proxmox-7.sh new file mode 100644 index 0000000..ad60c69 --- /dev/null +++ b/debian-11/apps/proxmox-7/proxmox-7.sh @@ -0,0 +1,45 @@ +#!/bin/bash + +HOSTNAME=$(hostname -s) +FQDN=$(hostname) +IPV4INT=$(ip addr | grep ' /etc/hosts +echo "${IPV4} ${FQDN} ${HOSTNAME}" >> /etc/hosts + +apt remove -y iptables-persistent +rm -R /etc/iptables + +echo "deb http://download.proxmox.com/debian/pve bullseye pve-no-subscription" >> /etc/apt/sources.list +wget http://download.proxmox.com/debian/proxmox-release-bullseye.gpg -O /etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg + +apt update +apt -y full-upgrade +export DEBIAN_FRONTEND=noninteractive +apt install -y proxmox-ve postfix open-iscsi ifupdown2 +apt remove -y os-prober linux-image-* +update-grub + +echo "# deb https://enterprise.proxmox.com/debian/pve bullseye pve-enterprise" > /etc/apt/sources.list.d/pve-enterprise.list + +NETFILE=/etc/network/interfaces.new +echo "" >> ${NETFILE} +echo "auto vmbr0" >> ${NETFILE} +echo "iface vmbr0 inet static" >> ${NETFILE} +echo " address ${IPV4}/${IPV4MASK}" >> ${NETFILE} +echo " gateway ${IPV4GW}" >> ${NETFILE} +echo " bridge-ports ${IPV4INT}" >> ${NETFILE} +echo " bridge-stp off" >> ${NETFILE} +echo " bridge-fd 0" >> ${NETFILE} + +rm /etc/network/interfaces.d/* diff --git a/debian-11/apps/rinetd/rinetd.sh b/debian-11/apps/rinetd/rinetd.sh new file mode 100644 index 0000000..733f5cf --- /dev/null +++ b/debian-11/apps/rinetd/rinetd.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +apt install -y rinetd + +nano /etc/rinetd.conf +systemctl restart rinetd + +if [ -f "/etc/iptables/rules.v4" ]; then + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # RINETD' /etc/iptables/rules.v4 + nano /etc/iptables/rules.v4 + iptables-restore /etc/iptables/rules.v4 +fi diff --git a/debian-11/apps/tang/tang.sh b/debian-11/apps/tang/tang.sh new file mode 100644 index 0000000..b6d3691 --- /dev/null +++ b/debian-11/apps/tang/tang.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +apt install -y tang + +# systemctl edit tangd.socket +# systemctl daemon-reload +systemctl enable tangd.socket +systemctl start tangd.socket + +if [ -f "/etc/iptables/rules.v4" ]; then + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4 + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # TANGD' /etc/iptables/rules.v4 + iptables-restore /etc/iptables/rules.v4 +fi diff --git a/debian-11/apps/tor-gw/tor-gw.sh b/debian-11/apps/tor-gw/tor-gw.sh new file mode 100644 index 0000000..da31eba --- /dev/null +++ b/debian-11/apps/tor-gw/tor-gw.sh @@ -0,0 +1,42 @@ +#!/bin/bash + +apt install -y tor + +echo "nameserver 127.0.0.1" > /etc/resolv.conf + +cat >> /etc/tor/torrc << EOF +VirtualAddrNetwork 10.192.0.0/10 +AutomapHostsSuffixes .onion,.exit +AutomapHostsOnResolve 1 +TransPort 0.0.0.0:9040 +DNSPort 0.0.0.0:53 +EOF + +service tor restart + +cat > /etc/iptables/rules.v4 << EOF +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT +EOF +iptables-restore /etc/iptables/rules.v4 + +iptables -t nat -A PREROUTING ! -i lo -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 22 +iptables -t nat -A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 +iptables -t nat -A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040 +iptables-save > /etc/iptables/rules.v4 + +sed -i '/net.ipv4.ip_forward/s/^#//g' /etc/sysctl.conf +echo 1 > /proc/sys/net/ipv4/ip_forward + +echo "" +echo "" +echo "" +ip a | grep "inet " + +echo "" +echo "Note for Firefox :" +echo "You need to enable dot onion in about:config." +echo "network.dns.blockDotOnion = False" diff --git a/debian-11/apps/traefik/traefik.sh b/debian-11/apps/traefik/traefik.sh new file mode 100644 index 0000000..2189800 --- /dev/null +++ b/debian-11/apps/traefik/traefik.sh @@ -0,0 +1,257 @@ +#!/bin/bash + +RELEASE=$(whiptail --title "Traefik" --inputbox "Release :" 0 30 "2.7.1" 3>&1 1>&2 2>&3) +ACCOUNT=$(whiptail --title "Traefik" --inputbox "ACME E-Mail :" 0 30 "" 3>&1 1>&2 2>&3) + +main() { + Traefik-etc-certs-selfsigned + Traefik-etc-services + Traefik-etc-config + Traefik-etc-iptable + Traefik-bin-update-traefik + Traefik-service +} + + +Traefik-etc-certs-selfsigned() { + mkdir -p /etc/traefik/certs + openssl ecparam -name secp256r1 -genkey -out /etc/traefik/certs/self.key + openssl req -new -x509 -key /etc/traefik/certs/self.key -sha256 -nodes -out /etc/traefik/certs/self.crt -days 3650 +} + +Traefik-etc-services() { + mkdir -p /etc/traefik/services + Traefik-etc-services-shared + Traefik-etc-services-default +} + +Traefik-etc-services-shared() { + cat >> /etc/traefik/services/_shared.yaml << "EOF" +tls: + stores: + default: + defaultCertificate: + certFile: "/etc/traefik/certs/self.crt" + keyFile: "/etc/traefik/certs/self.key" + + options: + default: + minVersion: "VersionTLS12" + # sniStrict: true + cipherSuites: + - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 + - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 + + mintls13: + minVersion: "VersionTLS13" + +http: + middlewares: + to-https: + redirectScheme: + scheme: "https" + permanent: true + to-no-www: + redirectRegex: + regex: "^https://www.(.*)" + replacement: "https://${1}" + permanent: true + + hsts-min: + headers: + sslRedirect: true + stsIncludeSubdomains: false + stsPreload: true + stsSeconds: 63072000 + contentTypeNosniff: true + accessControlMaxAge: 100 + addVaryheader: true + hsts_light: + headers: + sslRedirect: true + frameDeny: true + stsIncludeSubdomains: false + stsPreload: true + stsSeconds: 63072000 + contentTypeNosniff: true + accessControlMaxAge: 100 + addVaryheader: true + hsts: + headers: + sslRedirect: true + frameDeny: true + stsIncludeSubdomains: false + stsPreload: true + stsSeconds: 63072000 + contentTypeNosniff: true + accessControlMaxAge: 100 + addVaryheader: true + referrerPolicy: "origin-when-cross-origin" + hsts-strict: + headers: + sslRedirect: true + frameDeny: true + stsIncludeSubdomains: false + stsPreload: true + stsSeconds: 63072000 + contentTypeNosniff: true + accessControlMaxAge: 100 + addVaryheader: true + contentSecurityPolicy: "script-src 'self'" + referrerPolicy: "origin-when-cross-origin" + + services: + dummy: + loadBalancer: + servers: + - url: "https://127.0.0.1:2" + + # matomo: + # loadBalancer: + # servers: + # - url: "https://x.x.x.x:xxx" +EOF +} + +Traefik-etc-services-default() { + cat >> /etc/traefik/services/_default.yaml << "EOF" +http: + routers: + _default: + entryPoints: + - http + rule: "PathPrefix(`/`)" + # priority: 100 + # service: _default-matomo + service: _default + + _default-secure: + entryPoints: + - https + rule: "PathPrefix(`/`)" + # priority: 100 + # service: _default-matomo + service: _default + tls: + acmev2-staging + + services: + # _default-matomo: + # mirroring: + # service: _default + # maxBodySize: 1024 + # mirrors: + # - name: matomo + # percent: 100 + + _default: + loadBalancer: + servers: + - url: https://127.0.0.1:2 +EOF +} + +Traefik-etc-config() { + cat >> /etc/traefik/traefik.yaml << "EOF" +entryPoints: + http: + address: ":80" + https: + address: ":443" + traefik: + address: ":8099" + +api: + dashboard: true + insecure: true + +serversTransport: + insecureSkipVerify: true + +providers: + file: + directory: "/etc/traefik/services/" + watch: true + +certificatesResolvers: + acmev2: + acme: + email: "X{ACCOUNT}" + caserver: "https://acme-v02.api.letsencrypt.org/directory" + storage: "/etc/traefik/certs/acmev2.json" + keyType: "EC384" + tlsChallenge: {} + acmev2-staging: + acme: + email: "X{ACCOUNT}" + caserver: "https://acme-staging-v02.api.letsencrypt.org/directory" + storage: "/etc/traefik/certs/acmev2-staging.json" + keyType: "EC384" + tlsChallenge: {} +EOF + +sed -i "s/X{ACCOUNT}/${ACCOUNT}/g" /etc/traefik/traefik.yaml + +} + +Traefik-etc-iptable() { + if [ -f "/etc/iptables/rules.v4" ]; then + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 8099 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4 + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4 + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4 + sed -i '/^-A INPUT -i lo -j ACCEPT.*/a # Traefik' /etc/iptables/rules.v4 + iptables-restore /etc/iptables/rules.v4 + fi +} + +Traefik-bin-update-traefik() { + cat >> /usr/local/bin/update-traefik << "EOF" +#!/bin/bash + +if [[ -z ${1} ]]; then + echo "update-traefik version" + echo "version : x.x.x" + exit 1 +fi +version=${1} +mkdir -p /tmp/traefik +cd /tmp/traefik +wget https://github.com/traefik/traefik/releases/download/v${version}/traefik_v${version}_linux_amd64.tar.gz +tar -xf traefik_v${version}_linux_amd64.tar.gz +systemctl stop traefik +cp traefik /usr/local/bin +systemctl start traefik +cd +rm -R /tmp/traefik +EOF + chmod 755 /usr/local/bin/update-traefik + update-traefik ${RELEASE} +} + +Traefik-service() { + cat >> /etc/systemd/system/traefik.service << "EOF" +[Unit] +Description=Traefik +After=network.target auditd.service + +[Service] +ExecStart=/usr/local/bin/traefik -configFile /etc/traefik/traefik.yaml +ExecReload=/bin/killall traefik +KillMode=process +Restart=on-failure + +[Install] +WantedBy=multi-user.target +EOF + + systemctl daemon-reload + systemctl enable traefik + systemctl restart traefik +} + + +main diff --git a/debian-11/apps/webmin/webmin.sh b/debian-11/apps/webmin/webmin.sh new file mode 100644 index 0000000..f427d09 --- /dev/null +++ b/debian-11/apps/webmin/webmin.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +echo "deb https://download.webmin.com/download/repository sarge contrib" > /etc/apt/sources.list.d/webmin.list +wget https://download.webmin.com/jcameron-key.asc +cat jcameron-key.asc | gpg --dearmor >/etc/apt/trusted.gpg.d/jcameron-key.gpg + +apt update +apt-get -y install webmin + +systemctl daemon-reload +systemctl start webmin + +if [ -f "/etc/iptables/rules.v4" ]; then + sed -i '/^COMMIT.*/i # Webmin' /etc/iptables/rules.v4 + sed -i '/^COMMIT.*/i -A INPUT -p tcp -m tcp --dport 10000 -m state --state NEW -j ACCEPT' /etc/iptables/rules.v4 + iptables-restore /etc/iptables/rules.v4 +fi diff --git a/debian-11/files/alias.sh b/debian-11/files/alias.sh new file mode 100644 index 0000000..43d610f --- /dev/null +++ b/debian-11/files/alias.sh @@ -0,0 +1,11 @@ +alias ls='ls --color=auto -hl --time-style long-iso' +alias l='ls --color=auto -hlA --time-style long-iso' +alias ll='ls --color=auto -hla --time-style long-iso' +alias cd..='cd ..' +alias ff='find / -name' +alias f='find . -name' +alias fif='grep -rnw . -e' +alias grep='grep --color=auto' +alias ip='ip -c' +alias vdir='vdir --color=auto' +alias watch='watch --color' diff --git a/debian-11/files/issue b/debian-11/files/issue new file mode 100644 index 0000000..eb49462 --- /dev/null +++ b/debian-11/files/issue @@ -0,0 +1,21 @@ +\v \r \l + + .o oOOOOOOOo OOOo + Ob.OOOOOOOo OOOo. oOOo. .adOOOOOOO + OboO"""""""""""".OOo. .oOOOOOo. OOOo.oOOOOOo.."""""""""'OO + OOP.oOOOOOOOOOOO "POOOOOOOOOOOo. `"OOOOOOOOOP,OOOOOOOOOOOB' + `O'OOOO' `OOOOo"OOOOOOOOOOO` .adOOOOOOOOO"oOOO' `OOOOo + .OOOO' `OOOOOOOOOOOOOOOOOOOOOOOOOO' `OO + OOOOO '"OOOOOOOOOOOOOOOO"` oOO + oOOOOOba. .adOOOOOOOOOOba .adOOOOo. + oOOOOOOOOOOOOOba. .adOOOOOOOOOO@^OOOOOOOba. .adOOOOOOOOOOOO + OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"` '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO + "OOOO" "YOoOOOOMOIONODOO"` . '"OOROAOPOEOOOoOY" "OOO" + Y 'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?' :` + : .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO? . + . oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo + '%o OOOO"%OOOO%"%OOOOO"OOOOOO"OOO': + `$" `OOOO' `O"Y ' `OOOO' o . + . . OP" : o . + : + . diff --git a/debian-11/files/ps1.sh b/debian-11/files/ps1.sh new file mode 100644 index 0000000..b2e5b29 --- /dev/null +++ b/debian-11/files/ps1.sh @@ -0,0 +1,5 @@ +clrreset='\e[0m' +clrwhite='\e[1;37m' +clrgreen='\e[1;32m' +clrred='\e[1;31m' +export PS1="\[$clrred\][$USER@$HOSTNAME]\[$clrwhite\] \w \`if [ \$? = 0 ]; then echo -e '\[$clrgreen\]'; else echo -e '\[$clrred\]'; fi\`\\$ \[$clrreset\]" diff --git a/debian-11/files/rules.v4 b/debian-11/files/rules.v4 new file mode 100644 index 0000000..7336aaf --- /dev/null +++ b/debian-11/files/rules.v4 @@ -0,0 +1,13 @@ +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -i lo -j ACCEPT +# Ping +-A INPUT -p icmp -j ACCEPT +# SSH +-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT +# SNMPD +-A INPUT -p udp -m udp --dport 161 -m state --state NEW -j ACCEPT +COMMIT diff --git a/debian-11/files/rules.v6 b/debian-11/files/rules.v6 new file mode 100644 index 0000000..0bf819a --- /dev/null +++ b/debian-11/files/rules.v6 @@ -0,0 +1,7 @@ +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -i lo -j ACCEPT +COMMIT diff --git a/debian-11/init.sh b/debian-11/init.sh new file mode 100644 index 0000000..9a44086 --- /dev/null +++ b/debian-11/init.sh @@ -0,0 +1,346 @@ +#!/bin/bash + +declare BASE_URL=https://git.netm.ch/m/os-init/raw/branch/main +declare DIR_URL=debian-11 +IPV4=127.0.0.1 +ISLXC=0 +ISPVE=0 + +showHelp() { + echo "init.sh" + echo "" + echo "usage :" + echo "bash init.sh [options]" + echo " -b | --base-url url" +} + +InitConst() { + IPV4=$(ip addr | grep 'inet ' | grep -v '127.0' | head -n1 | awk '{print $2}' | cut -f1 -d /) + + grep -q -v -a lxc /proc/1/environ + ISLXC=$? + + if [[ -d "/etc/pve" ]]; then + ISPVE=1 + fi +} + +Main() { + InitConst + if [[ ${ISLXC} == 0 ]]; then + if [[ ${ISPVE} == 0 ]]; then + NetSetHostname + NetIPConfig + fi + else + APTCleanupLXCPackage + fi + if [[ ${ISPVE} == 0 ]]; then + NetCleanUpSystemdResolved + fi + APTSetProxy + APTUpdateDist + APTInstallBase + APTCleanAll + BashSetAlias + BashSetPS + NanoSetConfig + if [[ ${ISPVE} == 0 ]]; then + IssueSetContent + fi + SSHEnableRootLogin + GrubSetConfig + if [[ ${ISPVE} == 0 ]]; then + InstApps + fi + Reboot +} + +NetSetHostname() { + hostname=$(hostname) + hostname=$(whiptail --title "Hostname + Domain" --inputbox "" 0 30 "${hostname}" 3>&1 1>&2 2>&3) + if [ "$?" = "0" ] && [ "${hostname}" != "" ]; then + hostnamectl set-hostname "${hostname}" + fi +} +NetIPConfig() { + options=() + options+=("DHCP" "") + options+=("Static" "") + sel=$(whiptail --title "Network" --menu "" 0 0 0 "${options[@]}" 3>&1 1>&2 2>&3) + if [ "$?" = "0" ]; then + case ${sel} in + "Static") NetIPConfigStatic;; + esac + fi +} +NetIPConfigStatic() { + netif="$(ip a | grep ens | head -n1 | cut -d: -f2)" + netif=${netif:1} + netip="${IPV4}" + netmask="255.255.255.0" + netgw="$(echo "${IPV4}" | cut -d. -f1-3).1" + netdns="$(echo "${IPV4}" | cut -d. -f1-3).1" + netip=$(whiptail --title "Network" --inputbox "IP" 0 30 "${netip}" 3>&1 1>&2 2>&3) + if [ "$?" = "0" ] && [ "${netip}" != "" ]; then + netmask=$(whiptail --title "Network" --inputbox "Mask" 0 30 "${netmask}" 3>&1 1>&2 2>&3) + if [ "$?" = "0" ] && [ "${netmask}" != "" ]; then + netgw=$(whiptail --title "Network" --inputbox "Route" 0 30 "${netgw}" 3>&1 1>&2 2>&3) + if [ "$?" = "0" ] && [ "${netgw}" != "" ]; then + netdns=$(whiptail --title "Network" --inputbox "DNS" 0 30 "${netdns}" 3>&1 1>&2 2>&3) + if [ "$?" = "0" ] && [ "${netdns}" != "" ]; then + echo "allow-hotplug ${netif}" > /etc/network/interfaces.d/${netif} + echo "iface ${netif} inet static" >> /etc/network/interfaces.d/${netif} + echo -e "\taddress ${netip}" >> /etc/network/interfaces.d/${netif} + echo -e "\tnetmask ${netmask}" >> /etc/network/interfaces.d/${netif} + echo -e "\tgateway ${netgw}" >> /etc/network/interfaces.d/${netif} + sed -i "/${netif}/d" /etc/network/interfaces + echo "nameserver ${netdns}" > /etc/resolv.conf + fi + fi + fi + fi +} +NetCleanUpSystemdResolved() { + sed -i s/#LLMNR=yes/LLMNR=no/ /etc/systemd/resolved.conf + sed -i s/#DNSStubListener=yes/DNSStubListener=no/ /etc/systemd/resolved.conf + systemctl restart systemd-resolved +} + +APTSetProxy() { + proxy="" + proxy=$(whiptail --title "Proxy" --inputbox "ex : http://192.168.1.200/ or leave empty for none" 0 30 "${proxy}" 3>&1 1>&2 2>&3) + if [ "$?" = "0" ]; then + if [ "${proxy}" != "" ]; then + echo "Acquire::http { Proxy \"${proxy}\"; };" > /etc/apt/apt.conf.d/02proxy + fi + fi +} +APTCleanupLXCPackage() { + apt remove -y bind9-host debian-faq doc-debian postfix x11-common fontconfig-config fonts-dejavu-core gdbm-l10n python-apt-common +} +APTUpdateDist() { + apt update -y + apt dist-upgrade -y +} +APTInstallBase() { + options=() + options+=("curl" "" on) + options+=("wget" "" on) + options+=("lsof" "" on) + options+=("acpi" "" on) + options+=("bash-completion" "" on) + if [[ ${ISPVE} == 0 ]]; then + options+=("iptables" "" on) + options+=("iptables-persistent" "" on) + else + options+=("iptables" "" off) + options+=("iptables-persistent" "" off) + fi + options+=("openssh-server" "" on) + options+=("gnupg" "" on) + options+=("rsync" "" on) + options+=("nmon" "" on) + options+=("snmpd" "" on) + options+=("clevis-net" "" off) + sel=$(whiptail --title "Basic Install" --checklist "" 0 0 0 "${options[@]}" 3>&1 1>&2 2>&3) + if [ "$?" = "0" ]; then + pkg="" + for itm in ${sel}; do + case ${itm} in + '"iptables-persistent"') + pkg="${pkg} $(echo ${itm} | sed 's/"//g')" + IPTablesPostInstall;; + '"clevis-net"') + pkg="${pkg} clevis clevis-luks clevis-systemd clevis-initramfs clevis-tpm2";; + *) + pkg="${pkg} $(echo ${itm} | sed 's/"//g')";; + esac + done + apt install -y ${pkg} + for itm in ${sel}; do + case ${itm} in + '"iptables-persistent"') + IPTablesConfig;; + '"snmpd"') + SNMPDConfig;; + '"clevis-net"') + ClevisNetInit;; + esac + done + fi +} +APTCleanAll() { + apt-get autoremove -y + apt-get autoclean -y +} + +BashSetAlias() { + wget -O /etc/profile.d/alias.sh "${BASE_URL}"/"${DIR_URL}"/files/alias.sh +} +BashSetPS() { + wget -O /etc/profile.d/ps1.sh "${BASE_URL}"/"${DIR_URL}"/files/ps1.sh +} + +NanoSetConfig() { + sed -i "/tabsize/c\set tabsize 2" /etc/nanorc + { + echo "set numbercolor brightwhite" + echo "set statuscolor brightwhite,green" + echo "set keycolor cyan" + echo "set functioncolor green" + } >> /etc/nanorc + { + echo "set titlecolor brightwhite,red" + echo "set statuscolor brightwhite,red" + } > /root/.nanorc +} + +IssueSetContent() { + wget -O /etc/issue "${BASE_URL}"/"${DIR_URL}"/files/issue +} + +IPTablesPostInstall() { + echo iptables-persistent iptables-persistent/autosave_v4 boolean true | debconf-set-selections + echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf-set-selections +} +IPTablesConfig() { + wget -O /etc/iptables/rules.v4 "${BASE_URL}"/"${DIR_URL}"/files/rules.v4 + wget -O /etc/iptables/rules.v6 "${BASE_URL}"/"${DIR_URL}"/files/rules.v6 + iptables-restore /etc/iptables/rules.v4 + ip6tables-restore /etc/iptables/rules.v6 +} + +SNMPDConfig() { + cummunityname=public + cummunityname=$(whiptail --title "SNMP Community name" --inputbox "" 0 30 "${cummunityname}" 3>&1 1>&2 2>&3) + sed -i "s/public/${cummunityname}/" /etc/snmp/snmpd.conf + sed -i "s/127.0.0.1,\[::1\]/0.0.0.0/" /etc/snmp/snmpd.conf + systemctl restart snmpd +} + +ClevisNetInit() { + LUKSPARTS=$(lsblk -p -l --fs |grep LUKS |cut -d " " -f1) + options=() + IFS_ORIG=$IFS + IFS=$'\n' + for LUKSPART in ${LUKSPARTS} + do + options+=("${LUKSPART}" "") + done + IFS=$IFS_ORIG + DEV=$(whiptail --title "Select root LUKS part" --menu "" 0 0 0 "${options[@]}" 3>&1 1>&2 2>&3) + # shellcheck disable=SC2181 + if [ "$?" = "0" ]; then + TANGURL=$(whiptail --title "Tang Server" --inputbox "URL" 0 30 "" 3>&1 1>&2 2>&3) + if [ "$?" = "0" ]; then + clevis luks bind -d ${DEV} tang "{\"url\": \"${TANGURL}\"}" + systemctl enable clevis-luks-askpass.path + fi + fi +} + +SSHEnableRootLogin() { + sed -i "/PermitRootLogin prohibit-password/c\PermitRootLogin yes #prohibit-password" /etc/ssh/sshd_config + systemctl restart sshd +} + +GrubSetConfig() { + if [ -f "/etc/default/grub" ]; then + sed -i "/GRUB_TIMEOUT/c\GRUB_TIMEOUT=1" /etc/default/grub + update-grub + fi +} + +InstApps() { + options=() + options+=("nodejs-18" "" off) + options+=("nodejs-19" "" off) + options+=("nodejs-20" "" off) + options+=("mongodb-6.0" "" off) + options+=("traefik" "" off) + options+=("apt-cacher-ng" "" off) + options+=("matomo" "" off) + options+=("nextcloud-26" "" off) + options+=("nextcloud-25" "" off) + options+=("proxmox-7" "" off) + if [[ ${ISLXC} == 0 ]]; then + options+=("docker" "" off) + options+=("portainer" "" off) + fi + options+=("misc-apps" "..." off) + options+=("archived-apps" "..." off) + SEL=$(whiptail --title "More Apps" --checklist "" 0 0 0 "${options[@]}" 3>&1 1>&2 2>&3) + # shellcheck disable=SC2181 + if [ "$?" = "0" ]; then + for ITM in ${SEL}; do + case ${ITM//\"/} in + misc-apps) + InstMiscApps;; + archived-apps) + InstArchivedApps;; + *) + cd /tmp || exit + wget "${BASE_URL}"/${DIR_URL}/apps/"${ITM//\"/}"/"${ITM//\"/}".sh + bash ./"${ITM//\"/}".sh "${BASE_URL}"/${DIR_URL}/apps/"${ITM//\"/}";; + esac + done + fi +} +InstMiscApps() { + options=() + options+=("bind9" "" off) + options+=("iperf3" "" off) + options+=("webmin" "" off) + options+=("tang" "" off) + options+=("rinetd" "" off) + options+=("tor-gw" "" off) + options+=("nextcloud-latest" "unsafe" off) + SEL=$(whiptail --title "Misc Apps" --checklist "" 0 0 0 "${options[@]}" 3>&1 1>&2 2>&3) + # shellcheck disable=SC2181 + if [ "$?" = "0" ]; then + for ITM in ${SEL}; do + cd /tmp || exit + wget "${BASE_URL}"/${DIR_URL}/apps/"${ITM//\"/}"/"${ITM//\"/}".sh + bash ./"${ITM//\"/}".sh "${BASE_URL}"/${DIR_URL}/apps/"${ITM//\"/}" + done + fi +} +InstArchivedApps() { + options=() + options+=("mongodb-5.0" "" off) + options+=("mongodb-4.4" "" off) + options+=("nodejs-16" "" off) + options+=("nodejs-14" "" off) + options+=("nextcloud-24" "" off) + options+=("nextcloud-23" "" off) + options+=("nagios" "" off) + options+=("nagios-pnp4" "pnp4nagios" off) + options+=("dokuwiki" "" off) + options+=("xwiki" "" off) + SEL=$(whiptail --title "Archived Apps" --checklist "" 0 0 0 "${options[@]}" 3>&1 1>&2 2>&3) + # shellcheck disable=SC2181 + if [ "$?" = "0" ]; then + for ITM in ${SEL}; do + cd /tmp || exit + wget "${BASE_URL}"/${DIR_URL}/apps/"${ITM//\"/}"/"${ITM//\"/}".sh + bash ./"${ITM//\"/}".sh "${BASE_URL}"/${DIR_URL}/apps/"${ITM//\"/}" + done + fi +} + +Reboot() { + if whiptail --yesno "Reboot ?" 0 0 3>&1 1>&2 2>&3; then + reboot + fi +} + +while [ ${#} -gt 0 ]; do + case ${1} in + --help) showHelp; exit 0;; + -b | --base-url) BASE_URL="${2}"; shift;; + *) shift;; + esac +done + +Main diff --git a/debian-12/init.sh b/debian-12/init.sh index 04991c9..75a40e5 100644 --- a/debian-12/init.sh +++ b/debian-12/init.sh @@ -243,6 +243,7 @@ ClevisNetInit() { done IFS=$IFS_ORIG DEV=$(whiptail --title "Select root LUKS part" --menu "" 0 0 0 "${options[@]}" 3>&1 1>&2 2>&3) + # shellcheck disable=SC2181 if [ "$?" = "0" ]; then TANGURL=$(whiptail --title "Tang Server" --inputbox "URL" 0 30 "" 3>&1 1>&2 2>&3) if [ "$?" = "0" ]; then @@ -341,4 +342,12 @@ Reboot() { fi } +while [ ${#} -gt 0 ]; do + case ${1} in + --help) showHelp; exit 0;; + -b | --base-url) BASE_URL="${2}"; shift;; + *) shift;; + esac +done + Main