This commit is contained in:
Bob Mottram 2017-08-11 10:40:32 +01:00
commit 801aab4f9f
14 changed files with 133 additions and 128 deletions

View File

@ -24,6 +24,8 @@ NextCloud is a system for file synchronisation and also has many other plugins f
The videoconferencing plugin requires a browser with WebRTC support and so is unlikely to work in a Tor browser, but may still be a better option than using proprietary systems. The videoconferencing plugin requires a browser with WebRTC support and so is unlikely to work in a Tor browser, but may still be a better option than using proprietary systems.
* Operational considerations
If your ISP or the government in your area is part of your threat model then NextCloud may not be the best choice for hosting files and [[./app_syncthing.html][Syncthing]] could be preferable. In the past the NextCloud company is known to have remotely scanned servers without permission and reported server admins who don't immediately update to the latest version of the software to their ISPs or to questionable government agencies. Depending upon where you are located such activities by the developer, which are not really in the spirit of independent self-hosting, could have very undesirable results.
* Installation * Installation
Log into your system with: Log into your system with:

Binary file not shown.

View File

@ -299,6 +299,7 @@ function gnusocial_set_expire_months {
} }
function configure_interactive_gnusocial { function configure_interactive_gnusocial {
read_config_param GNUSOCIAL_EXPIRE_MONTHS
while true while true
do do
data=$(tempfile 2>/dev/null) data=$(tempfile 2>/dev/null)

View File

@ -13,7 +13,7 @@
# License # License
# ======= # =======
# #
# Copyright (C) 2016 Bob Mottram <bob@freedombone.net> # Copyright (C) 2016-2017 Bob Mottram <bob@freedombone.net>
# #
# This program is free software: you can redistribute it and/or modify # This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by # it under the terms of the GNU Affero General Public License as published by
@ -37,7 +37,7 @@ MAILPILE_DOMAIN_NAME=
MAILPILE_CODE= MAILPILE_CODE=
MAILPILE_ONION_PORT=8103 MAILPILE_ONION_PORT=8103
MAILPILE_REPO="https://github.com/mailpile/Mailpile" MAILPILE_REPO="https://github.com/mailpile/Mailpile"
MAILPILE_COMMIT='6f56fe4ad736c8e385bea658454bed110d08c60d' MAILPILE_COMMIT='88ae8e5831dddc628c827c44224166dbdbed91f1'
MAILPILE_PORT=33411 MAILPILE_PORT=33411
mailpile_variables=(MAILPILE_REPO mailpile_variables=(MAILPILE_REPO
@ -45,6 +45,7 @@ mailpile_variables=(MAILPILE_REPO
MAILPILE_CODE MAILPILE_CODE
ONION_ONLY ONION_ONLY
DDNS_PROVIDER DDNS_PROVIDER
DEFAULT_DOMAIN_NAME
MY_USERNAME) MY_USERNAME)
function logging_on_mailpile { function logging_on_mailpile {
@ -109,118 +110,19 @@ function upgrade_mailpile {
} }
function backup_local_mailpile { function backup_local_mailpile {
if [ ! -f /etc/systemd/system/mailpile.service ]; then echo -n ''
return
fi
MAILPILE_DOMAIN_NAME='mailpile.local'
if grep -q "mailpile domain" $COMPLETION_FILE; then
MAILPILE_DOMAIN_NAME=$(get_completion_param "mailpile domain")
fi
source_directory=/var/www/${MAILPILE_DOMAIN_NAME}/mail/.local
if [ -d $source_directory ]; then
systemctl stop mailpile
function_check backup_directory_to_usb
backup_directory_to_usb $source_directory mailpile
systemctl start mailpile
fi
} }
function restore_local_mailpile { function restore_local_mailpile {
if [ ! -f /etc/systemd/system/mailpile.service ]; then echo -n ''
return
fi
MAILPILE_DOMAIN_NAME='mailpile.local'
if grep -q "mailpile domain" $COMPLETION_FILE; then
MAILPILE_DOMAIN_NAME=$(get_completion_param "mailpile domain")
fi
if [ $MAILPILE_DOMAIN_NAME ]; then
systemctl stop mailpile
temp_restore_dir=/root/tempmailpile
restore_directory_from_usb $temp_restore_dir mailpile
if [ -d /var/www/${MAILPILE_DOMAIN_NAME}/mail/.local ]; then
mv /var/www/${MAILPILE_DOMAIN_NAME}/mail/.local /var/www/${MAILPILE_DOMAIN_NAME}/mail/.previous
fi
temp_source_dir=$(find ${temp_restore_dir} -name ".local")
cp -r ${temp_source_dir} /var/www/${MAILPILE_DOMAIN_NAME}/mail/
if [ ! "$?" = "0" ]; then
if [ -d mv /var/www/${MAILPILE_DOMAIN_NAME}/mail/.previous ]; then
if [ -d /var/www/${MAILPILE_DOMAIN_NAME}/mail/.previous ]; then
rm -rf /var/www/${MAILPILE_DOMAIN_NAME}/mail/.previous
fi
mv /var/www/${MAILPILE_DOMAIN_NAME}/mail/.previous /var/www/${MAILPILE_DOMAIN_NAME}/mail/.local
fi
backup_unmount_drive
exit 3685
fi
rm -rf ${temp_restore_dir}
chown -R mailpile: /var/www/$MAILPILE_DOMAIN_NAME/mail/
if [ -d /etc/letsencrypt/live/${MAILPILE_DOMAIN_NAME} ]; then
ln -s /etc/letsencrypt/live/${MAILPILE_DOMAIN_NAME}/privkey.pem /etc/ssl/private/${MAILPILE_DOMAIN_NAME}.key
ln -s /etc/letsencrypt/live/${MAILPILE_DOMAIN_NAME}/fullchain.pem /etc/ssl/certs/${MAILPILE_DOMAIN_NAME}.pem
fi
systemctl start mailpile
fi
} }
function backup_remote_mailpile { function backup_remote_mailpile {
if [ ! -f /etc/systemd/system/mailpile.service ]; then echo -n ''
return
fi
MAILPILE_DOMAIN_NAME='mailpile.local'
if grep -q "mailpile domain" $COMPLETION_FILE; then
MAILPILE_DOMAIN_NAME=$(get_completion_param "mailpile domain")
fi
source_directory=/var/www/${MAILPILE_DOMAIN_NAME}/mail/.local
if [ -d $source_directory ]; then
systemctl stop mailpile
function_check backup_directory_to_usb
backup_directory_to_friend $source_directory mailpile
systemctl start mailpile
fi
} }
function restore_remote_mailpile { function restore_remote_mailpile {
if [ ! -f /etc/systemd/system/mailpile.service ]; then echo -n ''
return
fi
MAILPILE_DOMAIN_NAME='mailpile.local'
if grep -q "mailpile domain" $COMPLETION_FILE; then
MAILPILE_DOMAIN_NAME=$(get_completion_param "mailpile domain")
fi
if [ $MAILPILE_DOMAIN_NAME ]; then
systemctl stop mailpile
temp_restore_dir=/root/tempmailpile
restore_directory_from_friend $temp_restore_dir mailpile
if [ -d /var/www/${MAILPILE_DOMAIN_NAME}/mail/.local ]; then
mv /var/www/${MAILPILE_DOMAIN_NAME}/mail/.local /var/www/${MAILPILE_DOMAIN_NAME}/mail/.previous
fi
temp_source_dir=$(find ${temp_restore_dir} -name ".local")
cp -r ${temp_source_dir} /var/www/${MAILPILE_DOMAIN_NAME}/mail/
if [ ! "$?" = "0" ]; then
if [ -d mv /var/www/${MAILPILE_DOMAIN_NAME}/mail/.previous ]; then
mv /var/www/${MAILPILE_DOMAIN_NAME}/mail/.previous /var/www/${MAILPILE_DOMAIN_NAME}/mail/.local
fi
backup_unmount_drive
exit 36732
fi
rm -rf ${temp_restore_dir}
chown -R mailpile: /var/www/$MAILPILE_DOMAIN_NAME/mail/
if [ -d /etc/letsencrypt/live/${MAILPILE_DOMAIN_NAME} ]; then
ln -s /etc/letsencrypt/live/${MAILPILE_DOMAIN_NAME}/privkey.pem /etc/ssl/private/${MAILPILE_DOMAIN_NAME}.key
ln -s /etc/letsencrypt/live/${MAILPILE_DOMAIN_NAME}/fullchain.pem /etc/ssl/certs/${MAILPILE_DOMAIN_NAME}.pem
fi
systemctl start mailpile
fi
} }
function remove_mailpile { function remove_mailpile {
@ -305,6 +207,11 @@ function install_mailpile {
adduser mailpile www-data adduser mailpile www-data
adduser mailpile mail adduser mailpile mail
adduser mailpile $MY_USERNAME adduser mailpile $MY_USERNAME
if [[ $ONION_ONLY == 'no' ]]; then
chgrp -R ssl-cert /etc/letsencrypt
chmod -R g=rX /etc/letsencrypt
usermod -a -G ssl-cert mailpile
fi
chown -R mailpile: /var/www/$MAILPILE_DOMAIN_NAME/mail/ chown -R mailpile: /var/www/$MAILPILE_DOMAIN_NAME/mail/
# create folders and tags # create folders and tags
@ -440,6 +347,17 @@ function install_mailpile {
pip install jinja2==2.9.6 pip install jinja2==2.9.6
pip install pgpdump==1.5 pip install pgpdump==1.5
# turn off ssl in dovecot
sed -i 's|#ssl =.*|ssl = no|g' /etc/dovecot/conf.d/10-ssl.conf
sed -i 's|ssl =.*|ssl = no|g' /etc/dovecot/conf.d/10-ssl.conf
# set ssl certs, just in case we want to use them later
sed -i "s|#ssl_cert =.*|ssl_cert = </etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.crt|g" /etc/dovecot/conf.d/10-ssl.conf
sed -i "s|ssl_cert =.*|ssl_cert = </etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.crt|g" /etc/dovecot/conf.d/10-ssl.conf
sed -i "s|#ssl_key =.*|ssl_key = </etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key|g" /etc/dovecot/conf.d/10-ssl.conf
sed -i "s|ssl_key =.*|ssl_key = </etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key|g" /etc/dovecot/conf.d/10-ssl.conf
systemctl restart dovecot
systemctl enable mailpile systemctl enable mailpile
systemctl daemon-reload systemctl daemon-reload
systemctl start mailpile systemctl start mailpile

View File

@ -64,7 +64,9 @@ matrix_variables=(ONION_ONLY
function logging_on_matrix { function logging_on_matrix {
if [ -f /var/lib/matrix/homeserver.yaml ]; then if [ -f /var/lib/matrix/homeserver.yaml ]; then
if ! grep -q "log_file: /etc/matrix/homeserver.log" /var/lib/matrix/homeserver.yaml; then
sed -i 's|log_file:.*|log_file: /etc/matrix/homeserver.log|g' /var/lib/matrix/homeserver.yaml sed -i 's|log_file:.*|log_file: /etc/matrix/homeserver.log|g' /var/lib/matrix/homeserver.yaml
fi
if ! grep -q "#log_config:" /var/lib/matrix/homeserver.yaml; then if ! grep -q "#log_config:" /var/lib/matrix/homeserver.yaml; then
sed -i 's|log_config:|#log_config:|g' /var/lib/matrix/homeserver.yaml sed -i 's|log_config:|#log_config:|g' /var/lib/matrix/homeserver.yaml
fi fi
@ -73,7 +75,9 @@ function logging_on_matrix {
function logging_off_matrix { function logging_off_matrix {
if [ -f /var/lib/matrix/homeserver.yaml ]; then if [ -f /var/lib/matrix/homeserver.yaml ]; then
if ! grep -q "log_file: /dev/null" /var/lib/matrix/homeserver.yaml; then
sed -i 's|log_file:.*|log_file: /dev/null|g' /var/lib/matrix/homeserver.yaml sed -i 's|log_file:.*|log_file: /dev/null|g' /var/lib/matrix/homeserver.yaml
fi
if ! grep -q "#log_config:" /var/lib/matrix/homeserver.yaml; then if ! grep -q "#log_config:" /var/lib/matrix/homeserver.yaml; then
sed -i 's|log_config:|#log_config:|g' /var/lib/matrix/homeserver.yaml sed -i 's|log_config:|#log_config:|g' /var/lib/matrix/homeserver.yaml
fi fi
@ -83,6 +87,12 @@ function logging_off_matrix {
if [ -f /etc/matrix/homeserver.log.1 ]; then if [ -f /etc/matrix/homeserver.log.1 ]; then
$REMOVE_FILES_COMMAND /etc/matrix/homeserver.log.1 $REMOVE_FILES_COMMAND /etc/matrix/homeserver.log.1
fi fi
if [ -f /etc/matrix/homeserver.log.2 ]; then
$REMOVE_FILES_COMMAND /etc/matrix/homeserver.log.2
fi
if [ -f /etc/matrix/homeserver.log.3 ]; then
$REMOVE_FILES_COMMAND /etc/matrix/homeserver.log.3
fi
fi fi
} }

View File

@ -40,7 +40,7 @@ NEXTCLOUD_CODE=
NEXTCLOUD_ONION_PORT=8112 NEXTCLOUD_ONION_PORT=8112
NEXTCLOUD_REPO="https://github.com/nextcloud/server" NEXTCLOUD_REPO="https://github.com/nextcloud/server"
# Stable 12 branch # Stable 12 branch
NEXTCLOUD_COMMIT='5e22b330963d01feb636b24e7b1027b50b46e3c2' NEXTCLOUD_COMMIT='cd095bb0b85eed6a9a9f6f0f7d10f2366c4667a7'
NEXTCLOUD_ADMIN_PASSWORD= NEXTCLOUD_ADMIN_PASSWORD=
nextcloud_variables=(ONION_ONLY nextcloud_variables=(ONION_ONLY
@ -209,6 +209,7 @@ function upgrade_nextcloud {
set_repo_commit /var/www/$NEXTCLOUD_DOMAIN_NAME/htdocs "nextcloud commit" "$NEXTCLOUD_COMMIT" $NEXTCLOUD_REPO set_repo_commit /var/www/$NEXTCLOUD_DOMAIN_NAME/htdocs "nextcloud commit" "$NEXTCLOUD_COMMIT" $NEXTCLOUD_REPO
upgrade_nextcloud_base upgrade_nextcloud_base
sudo -u www-data ./occ upgrade
} }

View File

@ -315,6 +315,7 @@ function postactiv_set_expire_months {
} }
function configure_interactive_postactiv { function configure_interactive_postactiv {
read_config_param "POSTACTIV_EXPIRE_MONTHS"
while true while true
do do
data=$(tempfile 2>/dev/null) data=$(tempfile 2>/dev/null)

View File

@ -41,8 +41,8 @@ XMPP_CIPHERS='"EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+
XMPP_ECC_CURVE='"secp384r1"' XMPP_ECC_CURVE='"secp384r1"'
prosody_latest_version='0.10' prosody_latest_version='0.10'
prosody_nightly=382 prosody_nightly=410
prosody_nightly_hash='770f1a0466f2361184eebffac9f50c102ad842cd855190db6c7f42f2f09884f5' prosody_nightly_hash='9cf3db6a09895a744d72eb90b4a635758a710afe1a16b78506c7139c4e7211eb'
prosody_filename=prosody-${prosody_latest_version}-1nightly${prosody_nightly} prosody_filename=prosody-${prosody_latest_version}-1nightly${prosody_nightly}
prosody_nightly_url="https://prosody.im/nightly/${prosody_latest_version}/latest/${prosody_filename}.tar.gz" prosody_nightly_url="https://prosody.im/nightly/${prosody_latest_version}/latest/${prosody_filename}.tar.gz"
@ -356,7 +356,9 @@ function update_prosody_modules {
mkdir -p /var/lib/prosody/prosody-modules mkdir -p /var/lib/prosody/prosody-modules
fi fi
cp -r $INSTALL_DIR/prosody-modules/* /var/lib/prosody/prosody-modules/ cp -r $INSTALL_DIR/prosody-modules/* /var/lib/prosody/prosody-modules/
cp -r $INSTALL_DIR/prosody-modules/* /usr/lib/prosody/modules/
chown -R prosody:prosody /var/lib/prosody/prosody-modules chown -R prosody:prosody /var/lib/prosody/prosody-modules
chown -R prosody:prosody /usr/lib/prosody/modules
systemctl start prosody systemctl start prosody
else else
echo $'Prosody modules not extracted' echo $'Prosody modules not extracted'
@ -1019,6 +1021,7 @@ function install_xmpp {
if [ -d /etc/letsencrypt ]; then if [ -d /etc/letsencrypt ]; then
usermod -a -G ssl-cert prosody usermod -a -G ssl-cert prosody
fi fi
apt-mark -q hold prosody
systemctl restart prosody systemctl restart prosody
if [[ $ONION_ONLY != 'no' ]]; then if [[ $ONION_ONLY != 'no' ]]; then

View File

@ -1345,8 +1345,8 @@ function configure_imap {
echo $'Unable to find /etc/dovecot/conf.d/10-ssl.conf' echo $'Unable to find /etc/dovecot/conf.d/10-ssl.conf'
exit 83629 exit 83629
fi fi
sed -i 's|#ssl =.*|ssl = required|g' /etc/dovecot/conf.d/10-ssl.conf sed -i 's|#ssl =.*|ssl = no|g' /etc/dovecot/conf.d/10-ssl.conf
sed -i 's|ssl =.*|ssl = required|g' /etc/dovecot/conf.d/10-ssl.conf sed -i 's|ssl =.*|ssl = no|g' /etc/dovecot/conf.d/10-ssl.conf
sed -i "s|#ssl_cert =.*|ssl_cert = </etc/ssl/certs/dovecot.crt|g" /etc/dovecot/conf.d/10-ssl.conf sed -i "s|#ssl_cert =.*|ssl_cert = </etc/ssl/certs/dovecot.crt|g" /etc/dovecot/conf.d/10-ssl.conf
sed -i "s|ssl_cert =.*|ssl_cert = </etc/ssl/certs/dovecot.crt|g" /etc/dovecot/conf.d/10-ssl.conf sed -i "s|ssl_cert =.*|ssl_cert = </etc/ssl/certs/dovecot.crt|g" /etc/dovecot/conf.d/10-ssl.conf
sed -i "s|#ssl_key =.*|ssl_key = </etc/ssl/private/dovecot.key|g" /etc/dovecot/conf.d/10-ssl.conf sed -i "s|#ssl_key =.*|ssl_key = </etc/ssl/private/dovecot.key|g" /etc/dovecot/conf.d/10-ssl.conf

View File

@ -124,6 +124,13 @@ function install_tripwire {
if ! grep -q '!/usr/local/lib/node_modules' /etc/tripwire/twpol.txt; then if ! grep -q '!/usr/local/lib/node_modules' /etc/tripwire/twpol.txt; then
sed -i '\|/etc\t\t->.*|a\ !/usr/local/lib/node_modules ;' /etc/tripwire/twpol.txt sed -i '\|/etc\t\t->.*|a\ !/usr/local/lib/node_modules ;' /etc/tripwire/twpol.txt
fi fi
# Events here are likely due to USB HRNG activity
if ! grep -q '!/dev/char' /etc/tripwire/twpol.txt; then
sed -i '\|/dev\t\t->.*|a\ !/dev/char ;' /etc/tripwire/twpol.txt
fi
if ! grep -q '!/dev/bus/usb' /etc/tripwire/twpol.txt; then
sed -i '\|/dev\t\t->.*|a\ !/dev/bus/usb ;' /etc/tripwire/twpol.txt
fi
# Not much is in /usr/local/bin other than project commands and avoiding it removes # Not much is in /usr/local/bin other than project commands and avoiding it removes
# problems with updates. This is a tradeoff, but not by much. # problems with updates. This is a tradeoff, but not by much.

View File

@ -129,8 +129,43 @@ if [[ $USB_DRIVE == *"dev"* ]]; then
fi fi
function any_key { function any_key {
echo ' ' echo ''
read -n1 -r -p $"Press any key to continue..." key read -n1 -rsp $"Press any key to continue..." key
}
function any_key_verify {
echo ''
read -n1 -rsp $"Press any key to continue or C to check a hash..." key
if [[ "$key" != 'c' && "$key" != 'C' ]]; then
return
fi
data=$(tempfile 2>/dev/null)
trap "rm -f $data" 0 1 2 5 15
dialog --title $"Check tripwire hash" \
--backtitle $"Freedombone Control Panel" \
--inputbox $"Paste your tripwire hash below and it will be checked against the current database" 12 60 2>$data
sel=$?
case $sel in
0)
GIVEN_HASH=$(<$data)
if [ ${#GIVEN_HASH} -gt 8 ]; then
if [[ "$GIVEN_HASH" == *' '* ]]; then
dialog --title $"Check tripwire" \
--msgbox $"\nThe hash should not contain any spaces" 10 40
else
DBHASH=$(sha512sum /var/lib/tripwire/${HOSTNAME}.twd | awk -F ' ' '{print $1}')
if [[ "$DBHASH" == "$GIVEN_HASH" ]]; then
dialog --title $"Check tripwire" \
--msgbox $"\nSuccess\n\nThe hash you gave matches the current tripwire database" 10 40
else
dialog --title $"Check tripwire" \
--msgbox $"\nFailed\n\nThe hash you gave does not match the current tripwire database. This might be because you reset the tripwire, or there could have been an unauthorised modification of the system" 12 50
fi
fi
fi
;;
esac
} }
function get_app_icann_address { function get_app_icann_address {
@ -2182,7 +2217,7 @@ function menu_top_level {
3) menu_backup_restore;; 3) menu_backup_restore;;
4) show_firewall;; 4) show_firewall;;
5) show_tripwire_verification_code 5) show_tripwire_verification_code
any_key;; any_key_verify;;
6) reset_tripwire;; 6) reset_tripwire;;
7) menu_app_settings;; 7) menu_app_settings;;
8) /usr/local/bin/addremove 8) /usr/local/bin/addremove

View File

@ -741,6 +741,9 @@ function expire_gnusocial_posts {
expire_days=$((expire_months * 30)) expire_days=$((expire_months * 30))
# files are what take up most of the backup time, so don't keep them for very long
expire_days_files=7
# To prevent the database size from growing endlessly this script expires posts # To prevent the database size from growing endlessly this script expires posts
# after a number of months # after a number of months
if [ ! -d /var/www/${domain_name}/htdocs ]; then if [ ! -d /var/www/${domain_name}/htdocs ]; then
@ -788,15 +791,16 @@ function expire_gnusocial_posts {
echo '$rowaff1 notices, $rowaff2 conversations, $rowaff3 replies, and $rowaff4 qvitter notifications deleted from database.\n";' >> $gnusocial_expire_posts_script echo '$rowaff1 notices, $rowaff2 conversations, $rowaff3 replies, and $rowaff4 qvitter notifications deleted from database.\n";' >> $gnusocial_expire_posts_script
chmod +x $gnusocial_expire_posts_script chmod +x $gnusocial_expire_posts_script
gnusocial_expire_script=/usr/bin/${gnusocial_type}-expire gnusocial_expire_script=/etc/cron.daily/${gnusocial_type}-expire
echo '#!/bin/bash' > $gnusocial_expire_script echo '#!/bin/bash' > $gnusocial_expire_script
echo "find /var/www/${domain_name}/htdocs/file/* -mtime +${expire_days} -exec rm {} +" >> $gnusocial_expire_script echo "find /var/www/${domain_name}/htdocs/file/* -mtime +${expire_days_files} -exec rm {} +" >> $gnusocial_expire_script
echo "/usr/bin/php $gnusocial_expire_posts_script" >> $gnusocial_expire_script echo "/usr/bin/php $gnusocial_expire_posts_script" >> $gnusocial_expire_script
chmod +x $gnusocial_expire_script chmod +x $gnusocial_expire_script
# Add a cron job # remove any old cron job
if ! grep -q "${gnusocial_expire_script}" /etc/crontab; then if grep -q "${gnusocial_type}-expire" /etc/crontab; then
echo "10 3 5 * * root /usr/bin/timeout 500 ${gnusocial_expire_script}" >> /etc/crontab sed -i "/${gnusocial_type}-expire/d" /etc/crontab
rm /usr/bin/${gnusocial_type}-expire
fi fi
# remove old expire script # remove old expire script

View File

@ -286,10 +286,22 @@ function initial_setup {
mark_completed $FUNCNAME mark_completed $FUNCNAME
} }
function turn_off_magic_sysrq {
if grep -q 'kernel.sysrq = 0' /etc/sysctl.conf; then
return
fi
if grep -q 'kernel.sysrq' /etc/sysctl.conf; then
sed -i 's|#kernel.sysrq.*|kernel.sysrq = 0|g' /etc/sysctl.conf
sed -i 's|kernel.sysrq.*|kernel.sysrq = 0|g' /etc/sysctl.conf
else
echo 'kernel.sysrq = 0' >> /etc/sysctl.conf
fi
}
function setup_grub { function setup_grub {
if [[ $ARCHITECTURE == 'qemu'* || $ARCHITECTURE == 'amd64' || $ARCHITECTURE == 'x86_64' || $ARCHITECTURE == 'i686' || $ARCHITECTURE == 'i386' ]]; then if [[ $ARCHITECTURE == 'qemu'* || $ARCHITECTURE == 'amd64' || $ARCHITECTURE == 'x86_64' || $ARCHITECTURE == 'i686' || $ARCHITECTURE == 'i386' ]]; then
if ! grep -q 'ifnames=0' /etc/default/grub; then if ! grep -q 'ifnames=0' /etc/default/grub; then
sed -i 's|GRUB_CMDLINE_LINUX_DEFAULT=.*|GRUB_CMDLINE_LINUX_DEFAULT="quiet ifnames=0 slub_debug=FZP slab_nomerge page_poison=1"|g' /etc/default/grub sed -i 's|GRUB_CMDLINE_LINUX_DEFAULT=.*|GRUB_CMDLINE_LINUX_DEFAULT="quiet ifnames=0 slub_debug=FZP slab_nomerge page_poison=1 panic=0"|g' /etc/default/grub
update-grub update-grub
fi fi
fi fi
@ -782,6 +794,9 @@ function setup_utils {
function_check enable_predictable_device_names function_check enable_predictable_device_names
enable_predictable_device_names enable_predictable_device_names
function_check turn_off_magic_sysrq
turn_off_magic_sysrq
function_check separate_tmp_filesystem function_check separate_tmp_filesystem
separate_tmp_filesystem 150 separate_tmp_filesystem 150

View File

@ -3,7 +3,7 @@
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head> <head>
<!-- 2017-05-08 Mon 23:45 --> <!-- 2017-08-08 Tue 17:39 -->
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" /> <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" /> <meta name="viewport" content="width=device-width, initial-scale=1" />
<title></title> <title></title>
@ -264,9 +264,17 @@ NextCloud is a system for file synchronisation and also has many other plugins f
The videoconferencing plugin requires a browser with WebRTC support and so is unlikely to work in a Tor browser, but may still be a better option than using proprietary systems. The videoconferencing plugin requires a browser with WebRTC support and so is unlikely to work in a Tor browser, but may still be a better option than using proprietary systems.
</p> </p>
<div id="outline-container-orge6cdeb1" class="outline-2"> <div id="outline-container-orgb096beb" class="outline-2">
<h2 id="orge6cdeb1">Installation</h2> <h2 id="orgb096beb">Operational considerations</h2>
<div class="outline-text-2" id="text-orge6cdeb1"> <div class="outline-text-2" id="text-orgb096beb">
<p>
If your ISP or the government in your area is part of your threat model then NextCloud may not be the best choice for hosting files and <a href="./app_syncthing.html">Syncthing</a> could be preferable. In the past the NextCloud company is known to have remotely scanned servers without permission and reported server admins who don't immediately update to the latest version of the software to their ISPs or to questionable government agencies. Depending upon where you are located such activities by the developer, which are not really in the spirit of independent self-hosting, could have very undesirable results.
</p>
</div>
</div>
<div id="outline-container-orgcac5c6a" class="outline-2">
<h2 id="orgcac5c6a">Installation</h2>
<div class="outline-text-2" id="text-orgcac5c6a">
<p> <p>
Log into your system with: Log into your system with:
</p> </p>
@ -286,9 +294,9 @@ Select <b>Add/Remove Apps</b> then <b>nextcloud</b>. You will then be asked for
</div> </div>
</div> </div>
<div id="outline-container-orgdf0be0a" class="outline-2"> <div id="outline-container-org87dcfbd" class="outline-2">
<h2 id="orgdf0be0a">Initial setup</h2> <h2 id="org87dcfbd">Initial setup</h2>
<div class="outline-text-2" id="text-orgdf0be0a"> <div class="outline-text-2" id="text-org87dcfbd">
<p> <p>
Go to the <b>Administrator control panel</b> and select <b>Passwords</b> then <b>nextcloud</b>. This will give you the password to initially log in to the system and you can change it later from a client app if needed. Go to the <b>Administrator control panel</b> and select <b>Passwords</b> then <b>nextcloud</b>. This will give you the password to initially log in to the system and you can change it later from a client app if needed.
</p> </p>