#!/bin/bash
#  _____               _           _
# |   __|___ ___ ___ _| |___ _____| |_ ___ ___ ___
# |   __|  _| -_| -_| . | . |     | . | . |   | -_|
# |__|  |_| |___|___|___|___|_|_|_|___|___|_|_|___|
#
#                              Freedom in the Cloud
#
# nextcloud application
# In tests this is much too slow, and it appeared to self-destruct after a few minutes
# i.e. becoming totally unusable.
#
# License
# =======
#
# Copyright (C) 2017-2018 Bob Mottram <bob@freedombone.net>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

VARIANTS='full full-vim cloud'

IN_DEFAULT_INSTALL=0
SHOW_ON_ABOUT=1

NEXTCLOUD_DOMAIN_NAME=
NEXTCLOUD_CODE=
NEXTCLOUD_ONION_PORT=8112
NEXTCLOUD_REPO="https://github.com/nextcloud/server"
# Stable 13 branch
NEXTCLOUD_COMMIT='edd5712c6ead5b09fa4f996cfda66fc4e18ba597'
NEXTCLOUD_ADMIN_PASSWORD=
NEXTCLOUD_SERVER_SIDE_ENCRYPTION=1

NEXTCLOUD_SHORT_DESCRIPTION=$'NextCloud'
NEXTCLOUD_DESCRIPTION=$'NextCloud'
NEXTCLOUD_MOBILE_APP_URL='https://f-droid.org/packages/com.nextcloud.client'

nextcloud_variables=(ONION_ONLY
                     NEXTCLOUD_DOMAIN_NAME
                     NEXTCLOUD_CODE
                     DDNS_PROVIDER
                     MY_USERNAME)

function logging_on_nextcloud {
    echo -n ''
}

function logging_off_nextcloud {
    echo -n ''
}

function remove_user_nextcloud {
    remove_username="$1"

    "${PROJECT_NAME}-pass" -u "$remove_username" --rmapp nextcloud
}

function add_user_nextcloud {
    new_username="$1"
    new_user_password="$2"

    "${PROJECT_NAME}-pass" -u "$new_username" -a nextcloud -p "$new_user_password"
    echo '0'
}

function change_password_nextcloud {
    curr_username="$1"

    export OC_PASS="$2"
    su -s /bin/sh www-data -c "php occ user:resetpassword --password-from-env $curr_username"
    "${PROJECT_NAME}-pass" -u "$curr_username" -a nextcloud -p "$OC_PASS"
    export OC_PASS=""
}

function install_interactive_nextcloud {
    if [ ! "$ONION_ONLY" ]; then
        ONION_ONLY='no'
    fi

    dialog --title $"Enable NextCloud server side encryption" \
           --backtitle $"Freedombone Configuration" \
           --yesno $"\\nDo you want to enable server side encryption. On ARM or older x86 systems, especially without HRNG, this may make performance excessively slow?" 10 60
    sel=$?
    case $sel in
        1) NEXTCLOUD_SERVER_SIDE_ENCRYPTION=
           ;;
        255) return;;
    esac

    if [[ $ONION_ONLY != "no" ]]; then
        NEXTCLOUD_DOMAIN_NAME='nextcloud.local'
    else
        NEXTCLOUD_DETAILS_COMPLETE=
        while [ ! $NEXTCLOUD_DETAILS_COMPLETE ]
        do
            data=$(mktemp 2>/dev/null)
            if [[ "$DDNS_PROVIDER" == *"freedns"* ]]; then
                dialog --backtitle $"Freedombone Configuration" \
                       --title $"NextCloud Configuration" \
                       --form $"\\nPlease enter your NextCloud details.\\n\\nIMPORTANT: This should be a domain name which is supported by Let's Encrypt:" 13 65 3 \
                       $"Domain:" 1 1 "$(grep 'NEXTCLOUD_DOMAIN_NAME' temp.cfg | awk -F '=' '{print $2}')" 1 15 40 40 \
                       $"Code:" 2 1 "$(grep 'NEXTCLOUD_CODE' temp.cfg | awk -F '=' '{print $2}')" 2 15 40 255 \
                       2> "$data"
            else
                dialog --backtitle $"Freedombone Configuration" \
                       --title $"NextCloud Configuration" \
                       --form $"\\nPlease enter your NextCloud details.\\n\\nIMPORTANT: This should be a domain name which is supported by Let's Encrypt:" 13 65 2 \
                       $"Domain:" 1 1 "$(grep 'NEXTCLOUD_DOMAIN_NAME' temp.cfg | awk -F '=' '{print $2}')" 1 15 40 40 \
                       2> "$data"
            fi
            sel=$?
            case $sel in
                1) rm -f "$data"
                   exit 1;;
                255) rm -f "$data"
                     exit 1;;
            esac
            NEXTCLOUD_DOMAIN_NAME=$(sed -n 1p < "$data")
            if [ "$NEXTCLOUD_DOMAIN_NAME" ]; then
                TEST_DOMAIN_NAME=$NEXTCLOUD_DOMAIN_NAME
                validate_domain_name
                if [[ "$TEST_DOMAIN_NAME" != "$NEXTCLOUD_DOMAIN_NAME" ]]; then
                    NEXTCLOUD_DOMAIN_NAME=
                    dialog --title $"Domain name validation" --msgbox "$TEST_DOMAIN_NAME" 15 50
                else
                    if [[ "$DDNS_PROVIDER" == *"freedns"* ]]; then
                        NEXTCLOUD_CODE=$(sed -n 2p < "$data")
                        validate_freedns_code "$NEXTCLOUD_CODE"
                        if [ ! "$VALID_CODE" ]; then
                            NEXTCLOUD_DOMAIN_NAME=
                        fi
                    fi
                fi
            fi
            if [ $NEXTCLOUD_DOMAIN_NAME ]; then
                NEXTCLOUD_DETAILS_COMPLETE="yes"
            fi
            rm -f "$data"
        done

        # remove any invalid characters
        if [ ${#NEXTCLOUD_TITLE} -gt 0 ]; then
            new_title=${NEXTCLOUD_TITLE//\'/}
            NEXTCLOUD_TITLE="$new_title"
        fi

        # save the results in the config file
        write_config_param "NEXTCLOUD_CODE" "$NEXTCLOUD_CODE"
    fi
    write_config_param "NEXTCLOUD_DOMAIN_NAME" "$NEXTCLOUD_DOMAIN_NAME"
    APP_INSTALLED=1
}

function change_password_nextcloud {
    curr_username="$1"
    new_user_password="$2"

    read_config_param ${NEXTCLOUD_DOMAIN_NAME}

    "${PROJECT_NAME}-pass" -u "$curr_username" -a nextcloud -p "$new_user_password"
}

function nextcloud_create_database {
    if [ -f "$IMAGE_PASSWORD_FILE" ]; then
        NEXTCLOUD_ADMIN_PASSWORD="$(printf "%s" "$(cat "$IMAGE_PASSWORD_FILE")")"
    else
        if [ ! "$NEXTCLOUD_ADMIN_PASSWORD" ]; then
            NEXTCLOUD_ADMIN_PASSWORD="$(create_password "${MINIMUM_PASSWORD_LENGTH}")"
        fi
    fi
    if [ ! "$NEXTCLOUD_ADMIN_PASSWORD" ]; then
        return
    fi

    function_check create_database
    create_database nextcloud "$NEXTCLOUD_ADMIN_PASSWORD" "$MY_USERNAME"
}

function reconfigure_nextcloud {
    echo -n ''
}

function configure_interactive_nextcloud {
    echo -n ''
}

function upgrade_nextcloud_base {
    chown -R www-data:www-data /var/www/$NEXTCLOUD_DOMAIN_NAME/htdocs
    chown -R www-data:www-data /var/www/$NEXTCLOUD_DOMAIN_NAME/data
    cd "/var/www/$NEXTCLOUD_DOMAIN_NAME/htdocs" || exit 232547985
    sudo -u www-data ./occ maintenance:repair
    sudo -u www-data ./occ files:cleanup
    sudo -u www-data ./occ files:scan --all
    sudo -u www-data ./occ maintenance:mode --off
}

function upgrade_nextcloud {
    CURR_NEXTCLOUD_COMMIT=$(get_completion_param "nextcloud commit")
    if [[ "$CURR_NEXTCLOUD_COMMIT" == "$NEXTCLOUD_COMMIT" ]]; then
        upgrade_nextcloud_base
        return
    fi

    if grep -q "nextcloud domain" "$COMPLETION_FILE"; then
        NEXTCLOUD_DOMAIN_NAME=$(get_completion_param "nextcloud domain")
    fi

    # update to the next commit
    function_check set_repo_commit
    set_repo_commit "/var/www/$NEXTCLOUD_DOMAIN_NAME/htdocs" "nextcloud commit" "$NEXTCLOUD_COMMIT" "$NEXTCLOUD_REPO"

    upgrade_nextcloud_base
    sudo -u www-data ./occ upgrade
}


function backup_local_nextcloud {
    NEXTCLOUD_DOMAIN_NAME='nextcloud'
    if grep -q "nextcloud domain" "$COMPLETION_FILE"; then
        NEXTCLOUD_DOMAIN_NAME=$(get_completion_param "nextcloud domain")
    fi

    source_directory=/var/www/${NEXTCLOUD_DOMAIN_NAME}/data
    if [ -d "$source_directory" ]; then
        function_check suspend_site
        suspend_site "${NEXTCLOUD_DOMAIN_NAME}"

        dest_directory=nextcloudfiles
        function_check backup_directory_to_usb
        backup_directory_to_usb "$source_directory" "$dest_directory"

        source_directory=/var/www/${NEXTCLOUD_DOMAIN_NAME}/htdocs/config
        dest_directory=nextcloudconfig
        backup_directory_to_usb "$source_directory" "$dest_directory"

        function_check backup_database_to_usb
        backup_database_to_usb nextcloud

        function_check restart_site
        restart_site
    fi
}

function restore_local_nextcloud {
    if ! grep -q "nextcloud domain" "$COMPLETION_FILE"; then
        return
    fi
    NEXTCLOUD_DOMAIN_NAME=$(get_completion_param "nextcloud domain")
    if [ "$NEXTCLOUD_DOMAIN_NAME" ]; then

        temp_restore_dir=/root/tempnextcloud
        function_check nextcloud_create_database
        nextcloud_create_database
        restore_database nextcloud "${NEXTCLOUD_DOMAIN_NAME}"

        temp_restore_dir=/root/tempnextcloudfiles
        restore_directory_from_usb $temp_restore_dir nextcloudfiles

        if [ -d "$temp_restore_dir/var/www/${NEXTCLOUD_DOMAIN_NAME}/data" ]; then
            cp -r "$temp_restore_dir/var/www/${NEXTCLOUD_DOMAIN_NAME}/data" "/var/www/${NEXTCLOUD_DOMAIN_NAME}/"
        else
            cp -r $temp_restore_dir/* "/var/www/${NEXTCLOUD_DOMAIN_NAME}/"
        fi
        # shellcheck disable=SC2181
        if [ ! "$?" = "0" ]; then
            set_user_permissions
            backup_unmount_drive
            exit 346723
        fi
        rm -rf ${temp_restore_dir}

        temp_restore_dir=/root/tempnextcloudconfig
        restore_directory_from_usb $temp_restore_dir nextcloudconfig

        if [ -d "$temp_restore_dir/var/www/${NEXTCLOUD_DOMAIN_NAME}/htdocs/config" ]; then
            cp -r "$temp_restore_dir/var/www/${NEXTCLOUD_DOMAIN_NAME}/htdocs/config" "/var/www/${NEXTCLOUD_DOMAIN_NAME}/htdocs"
        else
            cp -r $temp_restore_dir/* "/var/www/${NEXTCLOUD_DOMAIN_NAME}/htdocs/config/"
        fi

        # shellcheck disable=SC2181
        if [ ! "$?" = "0" ]; then
            set_user_permissions
            backup_unmount_drive
            exit 3467343
        fi
        rm -rf ${temp_restore_dir}

        chown -R www-data:www-data "/var/www/${NEXTCLOUD_DOMAIN_NAME}/htdocs"
        chown -R www-data:www-data "/var/www/${NEXTCLOUD_DOMAIN_NAME}/data"
        cd "/var/www/${NEXTCLOUD_DOMAIN_NAME}/htdocs" || exit 14893545875
        sudo -u www-data ./occ maintenance:repair
        sudo -u www-data ./occ files:cleanup
        sudo -u www-data ./occ files:scan --all
    fi
}

function backup_remote_nextcloud {
    if grep -q "nextcloud domain" "$COMPLETION_FILE"; then
        NEXTCLOUD_DOMAIN_NAME=$(get_completion_param "nextcloud domain")
        temp_backup_dir=/var/www/${NEXTCLOUD_DOMAIN_NAME}/data
        if [ -d "$temp_backup_dir" ]; then
            function_check suspend_site
            suspend_site "${NEXTCLOUD_DOMAIN_NAME}"

            function_check backup_database_to_friend
            backup_database_to_friend nextcloud

            function_check backup_directory_to_friend
            backup_directory_to_friend "$temp_backup_dir" nextclouddata

            temp_backup_dir=/var/www/${NEXTCLOUD_DOMAIN_NAME}/htdocs/config
            backup_directory_to_friend "$temp_backup_dir" nextcloudconfig

            function_check restart_site
            restart_site
        else
            echo $"nextcloud domain specified but not found in ${temp_backup_dir}"
        fi
    fi
}

function restore_remote_nextcloud {
    if grep -q "nextcloud domain" "$COMPLETION_FILE"; then
        echo $"Restoring nextcloud"
        NEXTCLOUD_DOMAIN_NAME=$(get_completion_param "nextcloud domain")

        function_check nextcloud_create_database
        nextcloud_create_database

        function_check restore_database_from_friend
        restore_database_from_friend nextcloud "${NEXTCLOUD_DOMAIN_NAME}"
        if [ -d /root/tempnextcloud ]; then
            rm -rf /root/tempnextcloud
        fi

        temp_restore_dir=/root/tempnextcloudfiles
        restore_directory_from_friend $temp_restore_dir nextcloudfiles

        if [ -d "$temp_restore_dir/var/www/${NEXTCLOUD_DOMAIN_NAME}/data" ]; then
            cp -r "$temp_restore_dir/var/www/${NEXTCLOUD_DOMAIN_NAME}/data" "/var/www/${NEXTCLOUD_DOMAIN_NAME}/"
        else
            cp -r $temp_restore_dir/* "/var/www/${NEXTCLOUD_DOMAIN_NAME}/"
        fi
        # shellcheck disable=SC2181
        if [ ! "$?" = "0" ]; then
            exit 768254
        fi
        rm -rf ${temp_restore_dir}

        temp_restore_dir=/root/tempnextcloudconfig
        restore_directory_from_friend $temp_restore_dir nextcloudconfig

        if [ -d "$temp_restore_dir/var/www/${NEXTCLOUD_DOMAIN_NAME}/htdocs/config" ]; then
            cp -r "$temp_restore_dir/var/www/${NEXTCLOUD_DOMAIN_NAME}/htdocs/config" "/var/www/${NEXTCLOUD_DOMAIN_NAME}/htdocs"
        else
            cp -r $temp_restore_dir/* "/var/www/${NEXTCLOUD_DOMAIN_NAME}/htdocs/config/"
        fi

        # shellcheck disable=SC2181
        if [ ! "$?" = "0" ]; then
            exit 573427
        fi
        rm -rf ${temp_restore_dir}

        chown -R www-data:www-data "/var/www/${NEXTCLOUD_DOMAIN_NAME}/htdocs"
        chown -R www-data:www-data "/var/www/${NEXTCLOUD_DOMAIN_NAME}/data"
        cd "/var/www/${NEXTCLOUD_DOMAIN_NAME}/htdocs" || exit 2642846824
        sudo -u www-data ./occ maintenance:repair
        sudo -u www-data ./occ files:cleanup
        sudo -u www-data ./occ files:scan --all
    fi
}

function remove_nextcloud {
    if [ ${#NEXTCLOUD_DOMAIN_NAME} -eq 0 ]; then
        return
    fi
    function_check remove_nodejs
    remove_nodejs pleroma-nextcloud

    sed -i 's|env[PATH]|;env[PATH]|g' /etc/php/7.0/fpm/pool.d/www.conf

    read_config_param "NEXTCLOUD_DOMAIN_NAME"
    read_config_param "MY_USERNAME"
    echo "Removing $NEXTCLOUD_DOMAIN_NAME"
    nginx_dissite "$NEXTCLOUD_DOMAIN_NAME"
    remove_certs "$NEXTCLOUD_DOMAIN_NAME"
    if [ -d "/var/www/$NEXTCLOUD_DOMAIN_NAME" ]; then
        rm -rf "/var/www/$NEXTCLOUD_DOMAIN_NAME"
    fi
    if [ -f "/etc/nginx/sites-available/$NEXTCLOUD_DOMAIN_NAME" ]; then
        rm "/etc/nginx/sites-available/$NEXTCLOUD_DOMAIN_NAME"
    fi
    function_check drop_database
    drop_database nextcloud
    function_check remove_onion_service
    remove_onion_service nextcloud ${NEXTCLOUD_ONION_PORT}
    remove_app nextcloud
    remove_completion_param install_nextcloud
    sed -i '/nextcloud/d' "$COMPLETION_FILE"
    remove_backup_database_local nextcloud

    function_check remove_ddns_domain
    remove_ddns_domain "$NEXTCLOUD_DOMAIN_NAME"
    systemctl restart nginx
    systemctl restart php7.0-fpm
}

function install_nextcloud_main {
    if [ ! "$NEXTCLOUD_DOMAIN_NAME" ]; then
        echo $'No domain name was given for nextcloud'
        exit 7359
    fi

    if [[ $(app_is_installed nextcloud_main) == "1" ]]; then
        return
    fi

    function_check install_mariadb
    install_mariadb

    function_check get_mariadb_password
    get_mariadb_password

    function_check repair_databases_script
    repair_databases_script

    apt-get -yq install php-gettext php-curl php-gd php-mysql git curl
    apt-get -yq install php-intl memcached php-memcached libfcgi0ldbl
    apt-get -yq install php-zip

    # Ensure PATH is available to php
    if [ ! -f /etc/php/7.0/fpm/pool.d/www.conf ]; then
       echo $'No php www configuration file found'
       exit 628757
    fi
    sed -i 's|;env[PATH]|env[PATH]|g' /etc/php/7.0/fpm/pool.d/www.conf

    if [ ! -d "/var/www/$NEXTCLOUD_DOMAIN_NAME" ]; then
        mkdir "/var/www/$NEXTCLOUD_DOMAIN_NAME"
    fi
    if [ ! -d "/var/www/$NEXTCLOUD_DOMAIN_NAME/htdocs" ]; then

        if [ -d /repos/nextcloud ]; then
            mkdir "/var/www/$NEXTCLOUD_DOMAIN_NAME/htdocs"
            cp -r -p /repos/nextcloud/. "/var/www/$NEXTCLOUD_DOMAIN_NAME/htdocs"
            cd "/var/www/$NEXTCLOUD_DOMAIN_NAME/htdocs" || exit 2783539793
            git pull
        else
            function_check git_clone
            git_clone "$NEXTCLOUD_REPO" "/var/www/$NEXTCLOUD_DOMAIN_NAME/htdocs"
        fi

        if [ ! -d "/var/www/$NEXTCLOUD_DOMAIN_NAME/htdocs" ]; then
            echo $'Unable to clone nextcloud repo'
            exit 87525
        fi
    fi

    cd "/var/www/$NEXTCLOUD_DOMAIN_NAME/htdocs" || exit 3468346834
    git submodule update --init
    git checkout $NEXTCLOUD_COMMIT -b $NEXTCLOUD_COMMIT
    set_completion_param "nextcloud commit" "$NEXTCLOUD_COMMIT"

    chmod g+w "/var/www/$NEXTCLOUD_DOMAIN_NAME/htdocs"
    chown -R www-data:www-data "/var/www/$NEXTCLOUD_DOMAIN_NAME/htdocs"

    function_check nextcloud_create_database
    nextcloud_create_database

    if [ ! -f "/etc/aliases" ]; then
        touch /etc/aliases
    fi
    if ! grep -q "www-data: root" /etc/aliases; then
        echo 'www-data: root' >> /etc/aliases
    fi

    function_check add_ddns_domain
    add_ddns_domain "$NEXTCLOUD_DOMAIN_NAME"

    nextcloud_nginx_site=/etc/nginx/sites-available/$NEXTCLOUD_DOMAIN_NAME
    if [[ $ONION_ONLY == "no" ]]; then
        function_check nginx_http_redirect
        nginx_http_redirect "$NEXTCLOUD_DOMAIN_NAME"
        { echo 'server {';
          echo '  listen 443 ssl;';
          echo '  #listen [::]:443 ssl;';
          echo "  server_name $NEXTCLOUD_DOMAIN_NAME;";
          echo '';
          echo '  # Security'; } >> "$nextcloud_nginx_site"
        function_check nginx_ssl
        nginx_ssl "$NEXTCLOUD_DOMAIN_NAME" mobile

        function_check nginx_security_options
        nginx_security_options "$NEXTCLOUD_DOMAIN_NAME"

        { echo '  add_header Strict-Transport-Security max-age=15768000;';
          echo '';
          echo '  # Logs';
          echo '  access_log /dev/null;';
          echo '  error_log /dev/null;';
          echo '';
          echo '  # Root';
          echo "  root /var/www/$NEXTCLOUD_DOMAIN_NAME/htdocs;";
          echo '';
          echo '  # Index';
          echo '  index index.php;';
          echo '';

          # By default nextcloud advertises highly specific version information
          # on status.php, which can obviously be used by adversaries.
          # Blocking status.php prevents this information leak
          echo '  location = /status.php {';
          echo '    return 404;';
          echo '  }';
          echo '';

          echo '  # PHP';
          echo '  location ~ \.php {';
          echo '    include snippets/fastcgi-php.conf;';
          echo '    fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;';
          echo '    fastcgi_read_timeout 30;';
          echo '  }';
          echo '';
          echo '  # Location';
          echo '  location / {'; } >> "$nextcloud_nginx_site"
        function_check nginx_limits
        nginx_limits "$NEXTCLOUD_DOMAIN_NAME" '15m'
        { echo "    try_files \$uri \$uri/ @nextcloud;";
          echo '  }';
          echo '';
          echo '  # Fancy URLs';
          echo '  location @nextcloud {';
          echo "    rewrite ^(.*)\$ /index.php?p=\$1 last;";
          echo '  }';
          echo '';
          echo '  # Restrict access that is unnecessary anyway';
          echo '  location ~ /\.(ht|git) {';
          echo '    deny all;';
          echo '  }';
          echo '';
          echo '  location = /.well-known/carddav {';
          echo "    return 301 \$scheme://\$host/remote.php/dav;";
          echo '  }';
          echo '  location = /.well-known/caldav {';
          echo "    return 301 \$scheme://\$host/remote.php/dav;";
          echo '  }';
          echo '';
          echo '  location /.well-known/acme-challenge { }';
          echo '}'; } >> "$nextcloud_nginx_site"
    else
        echo -n '' > "$nextcloud_nginx_site"
    fi
    { echo 'server {';
      echo "    listen 127.0.0.1:$NEXTCLOUD_ONION_PORT default_server;";
      echo "    server_name $NEXTCLOUD_DOMAIN_NAME;";
      echo ''; } >> "$nextcloud_nginx_site"
    function_check nginx_security_options
    nginx_security_options "$NEXTCLOUD_DOMAIN_NAME"
    { echo '';
      echo '  # Logs';
      echo '  access_log /dev/null;';
      echo '  error_log /dev/null;';
      echo '';
      echo '  # Root';
      echo "  root /var/www/$NEXTCLOUD_DOMAIN_NAME/htdocs;";
      echo '';
      echo '  # Index';
      echo '  index index.php;';
      echo '';

      # By default nextcloud advertises highly specific version information
      # on status.php, which can obviously be used by adversaries.
      # Blocking status.php prevents this information leak
      echo '  location = /status.php {';
      echo '    return 404;';
      echo '  }';
      echo '';

      echo '  # PHP';
      echo '  location ~ \.php {';
      echo '    include snippets/fastcgi-php.conf;';
      echo '    fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;';
      echo '    fastcgi_read_timeout 30;';
      echo '  }';
      echo '';
      echo '  # Location';
      echo '  location / {'; } >> "$nextcloud_nginx_site"
    function_check nginx_limits
    nginx_limits "$NEXTCLOUD_DOMAIN_NAME" '15m'
    { echo "    try_files \$uri \$uri/ @nextcloud;";
      echo '  }';
      echo '';
      echo '  # Fancy URLs';
      echo '  location @nextcloud {';
      echo "    rewrite ^(.*)\$ /index.php?p=\$1 last;";
      echo '  }';
      echo '';
      echo '  # Restrict access that is unnecessary anyway';
      echo '  location ~ /\.(ht|git) {';
      echo '    deny all;';
      echo '  }';
      echo '';
      echo '  location = /.well-known/carddav {';
      echo "    return 301 \$scheme://\$host/remote.php/dav;";
      echo '  }';
      echo '  location = /.well-known/caldav {';
      echo "    return 301 \$scheme://\$host/remote.php/dav;";
      echo '  }';
      echo '';
      echo '  location /.well-known/acme-challenge { }';
      echo '}'; } >> "$nextcloud_nginx_site"

    sed -i 's| DENY;| SAMEORIGIN;|g' "$nextcloud_nginx_site"

    # NextCloud doesn't like content-security-policy at all
    sed -i '/Content-Security-Policy/d' "$nextcloud_nginx_site"

    function_check configure_php
    configure_php

    function_check create_site_certificate
    create_site_certificate "$NEXTCLOUD_DOMAIN_NAME" 'yes'

    if [[ "$ONION_ONLY" == "no" ]]; then
        if [ ! -f "/etc/ssl/certs/${NEXTCLOUD_DOMAIN_NAME}.pem" ]; then
            echo $'Certificate not generated for nextcloud'
            exit 725762
        fi
    fi

    # Ensure that the database gets backed up locally, if remote
    # backups are not being used
    function_check backup_databases_script_header
    backup_databases_script_header

    function_check backup_database_local
    backup_database_local nextcloud

    function_check nginx_ensite
    nginx_ensite "$NEXTCLOUD_DOMAIN_NAME"

    NEXTCLOUD_ONION_HOSTNAME=$(add_onion_service nextcloud 80 ${NEXTCLOUD_ONION_PORT})

    systemctl restart php7.0-fpm
    systemctl restart nginx

    "${PROJECT_NAME}-addemail" -u "$MY_USERNAME" -e "noreply@$NEXTCLOUD_DOMAIN_NAME" -g nextcloud --public no

    "${PROJECT_NAME}-pass" -u "$MY_USERNAME" -a nextcloud -p "$NEXTCLOUD_ADMIN_PASSWORD"

    cd "/var/www/${NEXTCLOUD_DOMAIN_NAME}/htdocs" || exit 2467245247
    if [ -d config ]; then
        chown -R www-data:www-data config
    fi
    if [ -d data ]; then
        chown -R www-data:www-data data
    fi

    chmod +x occ
    ./occ maintenance:install --database-name nextcloud --admin-user "${MY_USERNAME}" --admin-pass "${NEXTCLOUD_ADMIN_PASSWORD}" --database mysql --database-user root --database-pass "${MARIADB_PASSWORD}"
    if [ ! -d data ]; then
        echo $'Nextcloud data directory was not found. This probably means that the installation failed.'
        echo ''
        echo $'Install command was:'
        echo "./occ maintenance:install --database-name nextcloud --admin-user ${MY_USERNAME} --admin-pass \"${NEXTCLOUD_ADMIN_PASSWORD}\" --database mysql --database-user root --database-pass \"${MARIADB_PASSWORD}\""
        exit 83522
    fi
    chown -R www-data:www-data config
    chown -R www-data:www-data data
    sudo -u www-data ./occ check
    sudo -u www-data ./occ status
    sudo -u www-data ./occ app:list
    if [ $NEXTCLOUD_SERVER_SIDE_ENCRYPTION ]; then
        sudo -u www-data ./occ app:enable encryption
        if ! sudo -u www-data ./occ encryption:enable; then
            echo $'Encryption not enabled'
            exit 73527
        fi
        sudo -u www-data ./occ encryption:status
    fi
    sudo -u www-data ./occ config:system:set appstoreenabled --value=false
    chmod g+w "/var/www/${NEXTCLOUD_DOMAIN_NAME}/htdocs/config/config.php"
    chown -R www-data:www-data "/var/www/${NEXTCLOUD_DOMAIN_NAME}/htdocs"
    chmod 0644 .htaccess
    chmod 0750 data
    chown -R www-data:www-data "/var/www/${NEXTCLOUD_DOMAIN_NAME}/data"
    sudo -u www-data ./occ config:system:set trusted_domains 1 --value="$NEXTCLOUD_DOMAIN_NAME"
    sudo -u www-data ./occ config:system:set trusted_domains 2 --value="$NEXTCLOUD_ONION_HOSTNAME"
    sudo -u www-data ./occ files:cleanup
    sudo -u www-data ./occ files:scan --all
    sudo -u www-data ./occ maintenance:repair
    sudo -u www-data ./occ maintenance:mode --off

    systemctl restart mariadb

    # move the data directory
    # shellcheck disable=SC2086
    mv /var/www/${NEXTCLOUD_DOMAIN_NAME}/htdocs/data /var/www/${NEXTCLOUD_DOMAIN_NAME}/
    sed -i "s|'datadirectory'.*|'datadirectory' => '/var/www/$NEXTCLOUD_DOMAIN_NAME/data',|g" "/var/www/${NEXTCLOUD_DOMAIN_NAME}/htdocs/config/config.php"

    set_completion_param "nextcloud domain" "$NEXTCLOUD_DOMAIN_NAME"

    install_completed nextcloud_main
}

function install_nextcloud {
    if [ ! "$ONION_ONLY" ]; then
        ONION_ONLY='no'
    fi

    install_nextcloud_main

    APP_INSTALLED=1
}

# NOTE: deliberately there is no "exit 0"