#!/bin/sh -eu # # This runs as www-data # occupgrade() { # Maintenance mode must be off ./occ maintenance:mode --off # Sometimes this has to happen twice ./occ upgrade ./occ upgrade } plugin_status() { plugin="$1" plugins_state="$(./occ app:list --output=json_pretty)" version="$(echo "${plugins_state}" | jq -r ".enabled.${plugin}")" if [ "${version}" != "null" ]; then printf "%s\t%s" "enabled" "${version}" else version="$(echo "${plugins_state}" | jq -r ".disabled.${plugin}")" if [ "${version}" != "null" ]; then printf "%s\t%s" "disabled" "${version}" else printf "%s\t%s" "n/a" "n/a" fi fi } cat < Setting up static DD config" STATIC_CFG=/var/www/html/config/zzz_dd.config.php cat > "${STATIC_CFG}" < 'ca', 'skeletondirectory' => '', 'theme' => 'dd', 'allow_local_remote_servers' => true, ); EOF occupgrade # These cannot be edited from outside of the DD project # Operators should instead rely on the environment variables to ease deployment # EXTRA_PLUGINS_ENABLE and EXTRA_PLUGINS_DISABLE CORE_PLUGINS_ENABLE="user_saml,bruteforcesettings,polls,calendar,spreed,bbb,mail,ownpad,onlyoffice" CORE_PLUGINS_DISABLE="firstrunwizard,recommendations,dashboard,circles,forms" if [ "${DISABLE_CLAMAV:-true}" = "false" ]; then CORE_PLUGINS_ENABLE="${CORE_PLUGINS_ENABLE},files_antivirus" USING_CLAMAV="YES" else CORE_PLUGINS_DISABLE="${CORE_PLUGINS_DISABLE},files_antivirus" fi # Take care of installing core plugins and extra requested plugins PLUGINS="${CORE_PLUGINS_ENABLE},${CORE_PLUGINS_DISABLE},${EXTRA_PLUGINS_ENABLE:-},${EXTRA_PLUGINS_DISABLE:-}" # Install all plugins # shellcheck disable=SC2086 # We do want multiple arguments for plugin in $(echo "${PLUGINS}" | tr ',' '\n'); do if plugin_status "${plugin}" | grep -q "n/a"; then echo "--> Installing ${plugin}" ./occ --no-warnings app:install "${plugin}" fi done # Enable core plugins # shellcheck disable=SC2086 # We do want multiple arguments for plugin in $(echo "${CORE_PLUGINS_ENABLE}" | tr ',' '\n'); do if plugin_status "${plugin}" | grep -qE "^disabled"; then echo "--> Enabling core ${plugin}" ./occ --no-warnings app:enable "${plugin}" fi done # Disable core plugins # shellcheck disable=SC2086 # We do want multiple arguments for plugin in $(echo "${CORE_PLUGINS_DISABLE}" | tr ',' '\n'); do if plugin_status "${plugin}" | grep -qE "^enabled"; then echo "--> Disabling core ${plugin}" ./occ --no-warnings app:disable "${plugin}" fi done # Enable extra plugins # shellcheck disable=SC2086 # We do want multiple arguments for plugin in $(echo "${EXTRA_PLUGINS_ENABLE:-}" | tr ',' '\n'); do if plugin_status "${plugin}" | grep -qE "^disabled"; then echo "--> Enabling extra ${plugin}" ./occ --no-warnings app:enable "${plugin}" fi done # Disable extra plugins # shellcheck disable=SC2086 # We do want multiple arguments for plugin in $(echo "${EXTRA_PLUGINS_DISABLE:-}" | tr ',' '\n'); do if plugin_status "${plugin}" | grep -qE "^enabled"; then echo "--> Disabling extra ${plugin}" ./occ --no-warnings app:disable "${plugin}" fi done occupgrade # Temporary patch while upstream lands our changes # See: https://github.com/nextcloud/mail/pull/6908 for f in appinfo/info.xml lib/Command/UpdateAccount.php lib/Db/MailAccountMapper.php; do install -m 0644 -o www-data -g www-data "/nc_mail/$f" "/var/www/html/custom_apps/mail/$f" done occupgrade ## Forms # TODO: This is broken in NC 24 due to: # https://github.com/nextcloud/forms/pull/1149/files ## TODO: request explanations and reduce upstream diff ## This is what is being used: https://github.com/juanan3ip/form #FORMS_EXPECTED_HASH="$(cat /forms.hash)" #FORMS_DIR="/var/www/html/custom_apps/forms" #FORMS_HASH="" #if [ -f "${FORMS_DIR}.hash" ]; then # FORMS_HASH="$(cat "${FORMS_DIR}.hash")" #fi #if [ "${FORMS_EXPECTED_HASH}" != "${FORMS_HASH}" ]; then # # Remove old plugin # rm -rf "${FORMS_DIR}" # # Install new one # unzip -o /forms.zip -d /tmp # mv "/tmp/form-${FORMS_EXPECTED_HASH}" "${FORMS_DIR}" # # Perform config / install # npm --prefix "${FORMS_DIR}" install # composer --ignore-platform-req=ext-dom -d"${FORMS_DIR}" install --no-dev -o # # Place hash marker # cp /forms.hash "${FORMS_DIR}.hash" #fi #if plugin_status "${plugin}" | grep -qE "^disabled"; then # ./occ app:enable forms #fi # #occupgrade # # Apply app-specific configurations # echo "--> Configuring BBB" # Host ./occ config:app:set -n bbb api.url --value="${BBB_HOST:-}" # API Secret ./occ config:app:set -n -q bbb api.secret --value="${BBB_API_SECRET:-}" # Disable Big Blue Button media check by default ./occ config:app:set -n bbb join.mediaCheck --value="false" # Disable Big Blue Button listen only mode by default # And enable option to join muted to Big Blue Button room by default ## TODO: Upstream these as toggeable settings # shellcheck disable=SC2016 # We want these literal strings sed -i.orig \ -e 's/^\(\s*$room->setListenOnly(\)true\();\)$/\1false\2/' \ -e 's/^\(\s*$room->setJoinMuted(\)false\();\)$/\1true\2/' \ /var/www/html/custom_apps/bbb/lib/Service/RoomService.php # Remove meeting join nextcloud bbb app dialog exclamation marks sed -i.orig \ -e 's/\(^\s*"Please enter your name!" : [^¡]*\)¡\?\([^!]*\)!\(.*\)$/\1\2\3/' \ -e 's/\(^\s*"Let.s go!" : [^¡]*\)¡\?\([^!]*\)!\(.*\)$/\1\2\3/' \ /var/www/html/custom_apps/bbb/l10n/*.json # Patches / fixes for Ownpad ## Fix mimetypemapping for ownpad MIMETYPEMAPPINGJSON="/var/www/html/config/mimetypemapping.json" if ! grep -q "application/x-ownpad" "${MIMETYPEMAPPINGJSON}"; then jq '. + {"pad": ["application/x-ownpad"], "calc": ["application/x-ownpad"]}' \ /var/www/html/resources/config/mimetypemapping.dist.json > "${MIMETYPEMAPPINGJSON}" # We have to tell NC about this change as documented here: # https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/occ_command.html#maintenance-commands ./occ maintenance:mimetype:update-db fi ## Open pads on new tab/window OWNPADJS="/var/www/html/custom_apps/ownpad/js/ownpad.js" if ! grep -q viewerDD "${OWNPADJS}"; then ## TODO: Upstream this as a toggeable setting sed -i.orig 's/^\(\s*\)var viewer = \(OC.generateUrl.*\)/\1var viewerDD = \2; window.open(viewerDD); return;/' "${OWNPADJS}" fi # Settings echo "--> Applying custom settings" ./occ --no-warnings config:app:set -n ownpad ownpad_etherpad_enable --value="yes" ./occ --no-warnings config:app:set -n ownpad ownpad_etherpad_host --value="https://pad.$DOMAIN" ./occ --no-warnings config:app:set -n onlyoffice DocumentServerUrl --value="https://oof.$DOMAIN" ./occ --no-warnings config:app:set -n onlyoffice jwt_secret --value="secret" ./occ --no-warnings config:app:set -n onlyoffice jwt_header --value="Authorization" ./occ --no-warnings config:app:set -n onlyoffice sameTab --value="false" # Moodle nextcloud task needs forcesave onlyoffice option ./occ --no-warnings config:app:set -n onlyoffice customizationForcesave --value="true" # Add allow list IPs ./occ --no-warnings config:app:set -n bruteForce whitelist_1 --value='172.16.0.0/12' # OnlyOffice ./occ --no-warnings config:app:set -n onlyoffice preview --value="true" ./occ --no-warnings config:app:set -n onlyoffice defFormats --value='{"csv":"false","doc":"true","docm":"false","docx":"true","docxf":"true","oform":"true","dotx":"false","epub":"false","html":"false","odp":"true","ods":"true","odt":"true","otp":"true","ots":"true","ott":"true","pdf":"false","potm":"false","potx":"false","ppsm":"false","ppsx":"true","ppt":"true","pptm":"false","pptx":"true","rtf":"false","txt":"false","xls":"true","xlsm":"false","xlsx":"true","xltm":"false","xltx":"true"}' ./occ --no-warnings config:app:set -n onlyoffice editFormats --value='{"csv":"true","odp":"false","ods":"false","odt":"false","rtf":"false","txt":"true"}' if [ -n "${USING_CLAMAV:-}" ]; then echo "--> Configuring ClamAV" ./occ --no-warnings config:app:set -n files_antivirus av_mode --value="daemon" ./occ --no-warnings config:app:set -n files_antivirus av_host --value="dd-apps-clamav" ./occ --no-warnings config:app:set -n files_antivirus av_port --value="3310" ./occ --no-warnings config:app:set -n files_antivirus av_infected_action --value="only_log" ./occ --no-warnings config:app:set -n files_antivirus av_stream_max_length --value="26214400" ./occ --no-warnings config:app:set -n files_antivirus av_max_file_size --value="-1" fi # Allow nextcloud into other apps iframes echo "--> Fixing CSP" # TODO: this should be done in a different fashion # Content-Security-Policy: frame-ancestors 'self' *.$DOMAIN; # Content-Set-Policy: connect-src 'self -' *.$DOMAIN; # Content-Set-Policy: img-src 'self' *. -$DOMAIN; # Content-Set-Policy: style-src 'self' -*.$DOMAIN; # Content-Set-Policy: font-src 'self' * -.$DOMAIN; sed -i \ -E "s%'\\\\'self\\\\'',.*$%'\\\\'self\\\\'', '*.${DOMAIN}',%" \ /var/www/html/lib/public/AppFramework/Http/ContentSecurityPolicy.php # Add default file for moodle activities TEMPLATEDOCX="/var/www/html/data/admin/files/template.docx" if [ ! -f "${TEMPLATEDOCX}" ]; then echo "--> Copying activity template for Moodle" cp /template.docx "${TEMPLATEDOCX}" # We have to tell NC about this change ./occ files:scan admin fi # Configure logo echo "--> Configuring logo" # TODO: This should be a tad more dynamic cachebuster="0" if ./occ config:app:get theming cachebuster; then cachebuster="$(./occ config:app:get theming cachebuster)" fi ./occ theming:config logo /custom/img/logo.png ./occ theming:config background /custom/img/background.png ./occ config:app:set theming cachebuster --value="$((cachebuster + 1 ))" occupgrade cat <