digitaldemocratic/dd-apps/docker/nextcloud/nc-setup.sh

#!/bin/sh -eu

#
# This runs as www-data
#

occupgrade() {
	# Maintenance mode must be off
	./occ maintenance:mode --off
	# Sometimes this has to happen twice
	./occ upgrade
	./occ upgrade
}

plugin_status() {
	plugin="$1"
	plugins_state="$(./occ app:list --output=json_pretty)"
	version="$(echo "${plugins_state}" | jq -r ".enabled.${plugin}")"
	if [ "${version}" != "null" ]; then
		printf "%s\t%s" "enabled" "${version}"
	else
		version="$(echo "${plugins_state}" | jq -r ".disabled.${plugin}")"
		if [ "${version}" != "null" ]; then
			printf "%s\t%s" "disabled" "${version}"
		else
			printf "%s\t%s" "n/a" "n/a"
		fi
	fi
}


cat <<EOF
**************************************
Performing DD-specific Nextcloud setup
**************************************

EOF

# Install static settings
echo "--> Setting up static DD config"
STATIC_CFG=/var/www/html/config/zzz_dd.config.php
cat > "${STATIC_CFG}" <<EOF
<?php
/** DD-customised static settings
  */
\$CONFIG = array(
  'default_language' => 'ca',
  'skeletondirectory' => '',
  'theme' => 'dd',
  'allow_local_remote_servers' => true,
);
EOF

occupgrade

# These cannot be edited from outside of the DD project
# Operators should instead rely on the environment variables to ease deployment
# EXTRA_PLUGINS_ENABLE and EXTRA_PLUGINS_DISABLE
CORE_PLUGINS_ENABLE="user_saml,bruteforcesettings,polls,calendar,spreed,bbb,mail,ownpad,onlyoffice"
CORE_PLUGINS_DISABLE="firstrunwizard,recommendations,dashboard,circles"

if [ "${DISABLE_CLAMAV:-true}" = "false" ]; then
	CORE_PLUGINS_ENABLE="${CORE_PLUGINS_ENABLE},files_antivirus"
	USING_CLAMAV="YES"
else
	CORE_PLUGINS_DISABLE="${CORE_PLUGINS_DISABLE},files_antivirus"
fi

# Take care of installing core plugins and extra requested plugins
PLUGINS="${CORE_PLUGINS_ENABLE},${CORE_PLUGINS_DISABLE},${EXTRA_PLUGINS_ENABLE:-},${EXTRA_PLUGINS_DISABLE:-}"

# Install all plugins
# shellcheck disable=SC2086  # We do want multiple arguments
for plugin in $(echo "${PLUGINS}" | tr ',' '\n'); do
	if plugin_status "${plugin}" | grep -q "n/a"; then
		echo "--> Installing ${plugin}"
		./occ --no-warnings app:install "${plugin}"
	fi
done

# Enable core plugins
# shellcheck disable=SC2086  # We do want multiple arguments
for plugin in $(echo "${CORE_PLUGINS_ENABLE}" | tr ',' '\n'); do
	if plugin_status "${plugin}" | grep -qE "^disabled"; then
		echo "--> Enabling core ${plugin}"
		./occ --no-warnings app:enable "${plugin}"
	fi
done

# Disable core plugins
# shellcheck disable=SC2086  # We do want multiple arguments
for plugin in $(echo "${CORE_PLUGINS_DISABLE}" | tr ',' '\n'); do
	if plugin_status "${plugin}" | grep -qE "^enabled"; then
		echo "--> Disabling core ${plugin}"
		./occ --no-warnings app:disable "${plugin}"
	fi
done


# Enable extra plugins
# shellcheck disable=SC2086  # We do want multiple arguments
for plugin in $(echo "${EXTRA_PLUGINS_ENABLE:-}" | tr ',' '\n'); do
	if plugin_status "${plugin}" | grep -qE "^disabled"; then
		echo "--> Enabling extra ${plugin}"
		./occ --no-warnings app:enable "${plugin}"
	fi
done

# Disable extra plugins
# shellcheck disable=SC2086  # We do want multiple arguments
for plugin in $(echo "${EXTRA_PLUGINS_DISABLE:-}" | tr ',' '\n'); do
	if plugin_status "${plugin}" | grep -qE "^enabled"; then
		echo "--> Disabling extra ${plugin}"
		./occ --no-warnings app:disable "${plugin}"
	fi
done

occupgrade

# Temporary patch while upstream lands our changes
# See: https://github.com/nextcloud/mail/pull/6908
for f in appinfo/info.xml lib/Command/UpdateAccount.php lib/Db/MailAccountMapper.php; do
	install -m 0644 -o www-data -g www-data "/nc_mail/$f" "/var/www/html/custom_apps/mail/$f"
done

occupgrade

## Forms
# TODO: This is broken due to:
#   https://github.com/nextcloud/forms/pull/1149/files
## TODO: request explanations and reduce upstream diff
## This is what is being used: https://github.com/juanan3ip/form
#FORMS_EXPECTED_HASH="$(cat /forms.hash)"
#FORMS_DIR="/var/www/html/custom_apps/forms"
#FORMS_HASH=""
#if [ -f "${FORMS_DIR}.hash" ]; then
#	FORMS_HASH="$(cat "${FORMS_DIR}.hash")"
#fi
#if [ "${FORMS_EXPECTED_HASH}" != "${FORMS_HASH}" ]; then
#	# Remove old plugin
#	rm -rf "${FORMS_DIR}"
#	# Install new one
#	unzip -o /forms.zip -d /tmp
#	mv "/tmp/form-${FORMS_EXPECTED_HASH}" "${FORMS_DIR}"
#	# We need to patch appinfo temporarily
#	# TODO: Fix this on 3ip repo
#	sed -i.orig \
#		-E 's!<nextcloud(.*)max-version="[^"]*"!<nextcloud\1max-version="25"!' \
#		"${FORMS_DIR}/appinfo/info.xml"
#	# Perform config / install
#	npm --prefix "${FORMS_DIR}" install
#	composer --ignore-platform-req=ext-dom -d"${FORMS_DIR}" install --no-dev -o
#	# Place hash marker
#	cp /forms.hash "${FORMS_DIR}.hash"
#fi
#if plugin_status "${plugin}" | grep -qE "^disabled"; then
#	./occ app:enable forms
#fi
#
#occupgrade

#
# Apply app-specific configurations
#
echo "--> Configuring BBB"
# Host
./occ config:app:set -n bbb api.url --value="${BBB_HOST:-}"
# API Secret
./occ config:app:set -n -q bbb api.secret --value="${BBB_API_SECRET:-}"
# Disable Big Blue Button media check by default
./occ config:app:set -n bbb join.mediaCheck --value="false"
# Disable Big Blue Button listen only mode by default
# And enable option to join muted to Big Blue Button room by default
## TODO: Upstream these as toggeable settings
# shellcheck disable=SC2016  # We want these literal strings
sed -i.orig \
	-e 's/^\(\s*$room->setListenOnly(\)true\();\)$/\1false\2/' \
	-e 's/^\(\s*$room->setJoinMuted(\)false\();\)$/\1true\2/' \
	/var/www/html/custom_apps/bbb/lib/Service/RoomService.php
# Remove meeting join nextcloud bbb app dialog exclamation marks
sed -i.orig \
	-e 's/\(^\s*"Please enter your name!" : [^¡]*\)¡\?\([^!]*\)!\(.*\)$/\1\2\3/' \
	-e 's/\(^\s*"Let.s go!" : [^¡]*\)¡\?\([^!]*\)!\(.*\)$/\1\2\3/' \
	/var/www/html/custom_apps/bbb/l10n/*.json

# Patches / fixes for Ownpad
## Fix mimetypemapping for ownpad
MIMETYPEMAPPINGJSON="/var/www/html/config/mimetypemapping.json"
if ! grep -q "application/x-ownpad" "${MIMETYPEMAPPINGJSON}"; then
	jq '. + {"pad": ["application/x-ownpad"], "calc": ["application/x-ownpad"]}' \
		/var/www/html/resources/config/mimetypemapping.dist.json > "${MIMETYPEMAPPINGJSON}"
	# We have to tell NC about this change as documented here:
	# https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/occ_command.html#maintenance-commands
	./occ maintenance:mimetype:update-db
fi
## Open pads on new tab/window
OWNPADJS="/var/www/html/custom_apps/ownpad/js/ownpad.js"
if ! grep -q viewerDD "${OWNPADJS}"; then
	## TODO: Upstream this as a toggeable setting
	sed -i.orig 's/^\(\s*\)var viewer = \(OC.generateUrl.*\)/\1var viewerDD = \2; window.open(viewerDD); return;/' "${OWNPADJS}"
fi

# Settings
echo "--> Applying custom settings"
./occ --no-warnings config:app:set -n ownpad ownpad_etherpad_enable --value="yes"
./occ --no-warnings config:app:set -n ownpad ownpad_etherpad_host --value="https://pad.$DOMAIN"

./occ --no-warnings config:app:set -n onlyoffice DocumentServerUrl --value="https://oof.$DOMAIN"
./occ --no-warnings config:app:set -n onlyoffice jwt_secret --value="secret"
./occ --no-warnings config:app:set -n onlyoffice jwt_header --value="Authorization"
./occ --no-warnings config:app:set -n onlyoffice sameTab --value="false"

# Moodle nextcloud task needs forcesave onlyoffice option
./occ --no-warnings config:app:set -n onlyoffice customizationForcesave --value="true"

# Add allow list IPs
./occ --no-warnings config:app:set -n bruteForce whitelist_1 --value='172.16.0.0/12'

# OnlyOffice
./occ --no-warnings config:app:set -n onlyoffice preview --value="true"
./occ --no-warnings config:app:set -n onlyoffice defFormats --value='{"csv":"false","doc":"true","docm":"false","docx":"true","docxf":"true","oform":"true","dotx":"false","epub":"false","html":"false","odp":"true","ods":"true","odt":"true","otp":"true","ots":"true","ott":"true","pdf":"false","potm":"false","potx":"false","ppsm":"false","ppsx":"true","ppt":"true","pptm":"false","pptx":"true","rtf":"false","txt":"false","xls":"true","xlsm":"false","xlsx":"true","xltm":"false","xltx":"true"}'
./occ --no-warnings config:app:set -n onlyoffice editFormats --value='{"csv":"true","odp":"false","ods":"false","odt":"false","rtf":"false","txt":"true"}'

if [ -n "${USING_CLAMAV:-}" ]; then
	echo "--> Configuring ClamAV"
	./occ --no-warnings config:app:set -n files_antivirus av_mode --value="daemon"
	./occ --no-warnings config:app:set -n files_antivirus av_host --value="dd-apps-clamav"
	./occ --no-warnings config:app:set -n files_antivirus av_port --value="3310"
	./occ --no-warnings config:app:set -n files_antivirus av_infected_action --value="only_log"
	./occ --no-warnings config:app:set -n files_antivirus av_stream_max_length --value="26214400"
	./occ --no-warnings config:app:set -n files_antivirus av_max_file_size --value="-1"
fi

# Allow nextcloud into other apps iframes
echo "--> Fixing CSP"
# TODO: this should be done in a different fashion
# Content-Security-Policy: frame-ancestors 'self' *.$DOMAIN;
# Content-Set-Policy: connect-src 'self -' *.$DOMAIN;
# Content-Set-Policy: img-src 'self' *. -$DOMAIN;
# Content-Set-Policy: style-src 'self'  -*.$DOMAIN;
# Content-Set-Policy: font-src 'self' * -.$DOMAIN;
sed -i \
	-E "s%'\\\\'self\\\\'',.*$%'\\\\'self\\\\'', '*.${DOMAIN}',%" \
	/var/www/html/lib/public/AppFramework/Http/ContentSecurityPolicy.php

# Add default file for moodle activities
TEMPLATEDOCX="/var/www/html/data/admin/files/template.docx"
if [ ! -f "${TEMPLATEDOCX}" ]; then
	echo "--> Copying activity template for Moodle"
	cp /template.docx "${TEMPLATEDOCX}"
	# We have to tell NC about this change
	./occ  files:scan admin
fi

# Configure logo
echo "--> Configuring logo"
# TODO: This should be a tad more dynamic
cachebuster="0"
if ./occ config:app:get theming cachebuster; then
	cachebuster="$(./occ config:app:get theming cachebuster)"
fi
./occ theming:config logo /custom/img/logo.png
./occ theming:config background /custom/img/background.png
./occ config:app:set theming cachebuster --value="$((cachebuster + 1 ))"

occupgrade

cat <<EOF
*************************************
Done with DD-specific Nextcloud setup
*************************************

EOF