Update arch_install.sh

2026-03-18 18:03:09 +00:00 · 2026-03-18 18:03:09 +00:00 · f40c00d7cc
parent 88433fd523
commit f40c00d7cc
1 changed files with 46 additions and 61 deletions
--- a/arch_install.sh
+++ b/arch_install.sh
@ -5,46 +5,32 @@ set -Eeuo pipefail
 # USER CONFIG
 ########################################

-# Site / domain
 NEXTCLOUD_DOMAIN="cloud.example.com"
 TRUSTED_DOMAINS=("cloud.example.com" "192.168.1.10")

-# Paths
 NEXTCLOUD_WEBROOT="/usr/share/webapps/nextcloud"
 NEXTCLOUD_CONFIG_DIR="/etc/webapps/nextcloud"
 NEXTCLOUD_DATA_DIR="/var/lib/nextcloud/data"

-# Database
 DB_NAME="nextcloud"
 DB_USER="nextcloud"
 DB_PASS="CHANGE_ME_DB_PASSWORD"

-# Nextcloud admin user
 NC_ADMIN_USER="admin"
 NC_ADMIN_PASS="CHANGE_ME_ADMIN_PASSWORD"

-# PHP / timezone
 PHP_MEMORY_LIMIT="1024M"
 PHP_UPLOAD_LIMIT="16G"
 PHP_MAX_EXECUTION_TIME="3600"
 PHP_TIMEZONE="America/New_York"

-# Apache
 APACHE_RUN_USER="http"
 APACHE_RUN_GROUP="http"

-# HTTPS note:
-# This script configures HTTP on port 80 only.
-# Put it behind your TLS reverse proxy or add your cert/vhost later.
-
-# SMB external storage mount (optional)
 ENABLE_SMB_MOUNT="false"
 SMB_REMOTE="//server/share"
 SMB_MOUNTPOINT="/mnt/nextcloud"
 SMB_CREDENTIALS_FILE="/root/.smbcredentials"
-
-# If ENABLE_SMB_MOUNT=true, this gets added to /etc/fstab
-# Arch uses user/group "http", not "www-data"
 SMB_FSTAB_OPTIONS="rw,credentials=${SMB_CREDENTIALS_FILE},uid=http,gid=http,iocharset=utf8,file_mode=0770,dir_mode=0770,noserverino,nounix,_netdev,x-systemd.automount"

 ########################################
@ -57,7 +43,6 @@ HTTPD_CONF="/etc/httpd/conf/httpd.conf"
 HTTPD_NEXTCLOUD_CONF="/etc/httpd/conf/extra/nextcloud.conf"
 HTTPD_WELLKNOWN_CONF="/etc/httpd/conf/extra/nextcloud-wellknown.conf"
 VALKEY_CONF="/etc/valkey/valkey.conf"
-MYSQL_SOCKET="/run/mysqld/mysqld.sock"

 log() {
  echo
@ -95,10 +80,6 @@ ensure_line() {
  grep -Fqx "$line" "$file" || echo "$line" >> "$file"
 }

-random_secret() {
-  tr -dc 'A-Za-z0-9!@#%^*_+=' < /dev/urandom | head -c 32
-}
-
 occ() {
  sudo -u "${APACHE_RUN_USER}" php-legacy "${NEXTCLOUD_WEBROOT}/occ" "$@"
 }
@ -111,12 +92,11 @@ require_root

 log "Validating variables"

-[[ "${NEXTCLOUD_DOMAIN}" != "cloud.example.com" ]] || echo "WARNING: NEXTCLOUD_DOMAIN still set to default example value."
 [[ "${DB_PASS}" != "CHANGE_ME_DB_PASSWORD" ]] || die "Set DB_PASS at the top of the script."
 [[ "${NC_ADMIN_PASS}" != "CHANGE_ME_ADMIN_PASSWORD" ]] || die "Set NC_ADMIN_PASS at the top of the script."

 if [[ "${ENABLE_SMB_MOUNT}" == "true" ]]; then
-  [[ -f "${SMB_CREDENTIALS_FILE}" ]] || die "ENABLE_SMB_MOUNT=true but credentials file ${SMB_CREDENTIALS_FILE} does not exist."
+  [[ -f "${SMB_CREDENTIALS_FILE}" ]] || die "ENABLE_SMB_MOUNT=true but ${SMB_CREDENTIALS_FILE} does not exist."
 fi

 log "Installing packages"
@ -145,13 +125,14 @@ pacman -S --needed --noconfirm \
 log "Creating base directories"

 mkdir -p "${NEXTCLOUD_DATA_DIR}"
+mkdir -p /var/log/httpd
+mkdir -p /run/httpd
+
+mkdir -p /var/lib/nextcloud
 chown -R "${APACHE_RUN_USER}:${APACHE_RUN_GROUP}" /var/lib/nextcloud
 chmod 0750 /var/lib/nextcloud
 chmod 0750 "${NEXTCLOUD_DATA_DIR}"

-mkdir -p /var/log/httpd
-mkdir -p /run/httpd
-
 log "Initializing and configuring MariaDB"

 if [[ ! -d /var/lib/mysql/mysql ]]; then
@ -160,7 +141,6 @@ fi

 systemctl enable --now mariadb

-# Wait for MariaDB
 for _ in {1..30}; do
  if mariadb-admin ping >/dev/null 2>&1; then
    break
@ -170,7 +150,6 @@ done

 mariadb-admin ping >/dev/null 2>&1 || die "MariaDB did not come up."

-# Secure-ish local MariaDB setup and create DB/user
 mariadb <<SQL
 CREATE DATABASE IF NOT EXISTS \`${DB_NAME}\`
  CHARACTER SET utf8mb4
@ -202,7 +181,6 @@ replace_or_append_ini "output_buffering" "Off" "${PHP_INI}"
 replace_or_append_ini "date.timezone" "${PHP_TIMEZONE}" "${PHP_INI}"
 replace_or_append_ini "cgi.fix_pathinfo" "0" "${PHP_INI}"

-# FPM pool/socket for Apache proxy_fcgi
 sed -ri 's|^user\s*=.*|user = http|g' "${PHP_FPM_POOL_CONF}"
 sed -ri 's|^group\s*=.*|group = http|g' "${PHP_FPM_POOL_CONF}"

@ -232,31 +210,51 @@ fi

 systemctl enable --now php-fpm-legacy

-log "Configuring Valkey"
+log "Configuring Valkey (TCP localhost only)"

 backup_file "${VALKEY_CONF}"

-sed -ri \
-  -e 's|^#?\s*port\s+.*|port 0|g' \
-  -e 's|^#?\s*unixsocket\s+.*|unixsocket /run/redis/redis.sock|g' \
-  -e 's|^#?\s*unixsocketperm\s+.*|unixsocketperm 770|g' \
-  -e 's|^#?\s*supervised\s+.*|supervised systemd|g' \
-  "${VALKEY_CONF}"
-
-# Make sure the web user can access the socket
-if getent group valkey >/dev/null 2>&1; then
-  usermod -aG valkey "${APACHE_RUN_USER}" || true
+# Avoid unix socket issues entirely; listen only on localhost
+if grep -Eq '^[#[:space:]]*bind ' "${VALKEY_CONF}"; then
+  sed -ri 's|^[#[:space:]]*bind .*|bind 127.0.0.1 ::1|g' "${VALKEY_CONF}"
+else
+  echo "bind 127.0.0.1 ::1" >> "${VALKEY_CONF}"
 fi

+if grep -Eq '^[#[:space:]]*port ' "${VALKEY_CONF}"; then
+  sed -ri 's|^[#[:space:]]*port .*|port 6379|g' "${VALKEY_CONF}"
+else
+  echo "port 6379" >> "${VALKEY_CONF}"
+fi
+
+if grep -Eq '^[#[:space:]]*protected-mode ' "${VALKEY_CONF}"; then
+  sed -ri 's|^[#[:space:]]*protected-mode .*|protected-mode yes|g' "${VALKEY_CONF}"
+else
+  echo "protected-mode yes" >> "${VALKEY_CONF}"
+fi
+
+# Disable unix socket lines to prevent service start issues
+sed -ri 's|^[#[:space:]]*unixsocket .*|# unixsocket disabled by install script|g' "${VALKEY_CONF}" || true
+sed -ri 's|^[#[:space:]]*unixsocketperm .*|# unixsocketperm disabled by install script|g' "${VALKEY_CONF}" || true
+
+if grep -Eq '^[#[:space:]]*supervised ' "${VALKEY_CONF}"; then
+  sed -ri 's|^[#[:space:]]*supervised .*|supervised systemd|g' "${VALKEY_CONF}"
+else
+  echo "supervised systemd" >> "${VALKEY_CONF}"
+fi
+
+systemctl daemon-reload
 systemctl enable --now valkey
-systemctl restart valkey
-systemctl restart php-fpm-legacy
+
+if ! systemctl is-active --quiet valkey; then
+  journalctl -u valkey.service -n 50 --no-pager || true
+  die "valkey.service failed to start"
+fi

 log "Configuring Apache"

 backup_file "${HTTPD_CONF}"

-# Ensure useful modules are enabled
 sed -ri 's|^#(LoadModule mpm_event_module modules/mod_mpm_event.so)|\1|g' "${HTTPD_CONF}"
 sed -ri 's|^#(LoadModule rewrite_module modules/mod_rewrite.so)|\1|g' "${HTTPD_CONF}"
 sed -ri 's|^#(LoadModule headers_module modules/mod_headers.so)|\1|g' "${HTTPD_CONF}"
@ -268,7 +266,6 @@ sed -ri 's|^#(LoadModule setenvif_module modules/mod_setenvif.so)|\1|g' "${HTTPD
 sed -ri 's|^#(LoadModule proxy_module modules/mod_proxy.so)|\1|g' "${HTTPD_CONF}"
 sed -ri 's|^#(LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so)|\1|g' "${HTTPD_CONF}"

-# Keep ServerName quiet
 if grep -Eq '^[#[:space:]]*ServerName ' "${HTTPD_CONF}"; then
  sed -ri "s|^[#[:space:]]*ServerName .*|ServerName ${NEXTCLOUD_DOMAIN}:80|g" "${HTTPD_CONF}"
 else
@ -309,7 +306,6 @@ Alias /nextcloud "${NEXTCLOUD_WEBROOT}"
    Header always set X-XSS-Protection "1; mode=block"
 </IfModule>

-# Deny access to sensitive paths
 <Directory "${NEXTCLOUD_WEBROOT}/config">
    Require all denied
 </Directory>
@ -335,12 +331,10 @@ chown -R "${APACHE_RUN_USER}:${APACHE_RUN_GROUP}" "${NEXTCLOUD_CONFIG_DIR}"
 chmod 0750 "${NEXTCLOUD_CONFIG_DIR}"
 chmod 0750 "${NEXTCLOUD_CONFIG_DIR}/config"

-# Ensure package config dir is owned correctly
 chown -R "${APACHE_RUN_USER}:${APACHE_RUN_GROUP}" /etc/webapps/nextcloud
 chmod 0750 /etc/webapps/nextcloud
 chmod 0640 /etc/webapps/nextcloud/config/config.php || true

-# Data dir ownership
 chown -R "${APACHE_RUN_USER}:${APACHE_RUN_GROUP}" "${NEXTCLOUD_DATA_DIR}"
 find "${NEXTCLOUD_DATA_DIR}" -type d -exec chmod 0750 {} \;
 find "${NEXTCLOUD_DATA_DIR}" -type f -exec chmod 0640 {} \; 2>/dev/null || true
@ -371,7 +365,6 @@ fi

 log "Applying Nextcloud config"

-occ config:system:set trusted_domains 0 --value="${TRUSTED_DOMAINS[0]}"
 for i in "${!TRUSTED_DOMAINS[@]}"; do
  occ config:system:set trusted_domains "${i}" --value="${TRUSTED_DOMAINS[$i]}"
 done
@ -383,17 +376,15 @@ occ maintenance:update:htaccess
 occ config:system:set memcache.local --value='\OC\Memcache\APCu'
 occ config:system:set memcache.locking --value='\OC\Memcache\Redis'
 occ config:system:set filelocking.enabled --type=boolean --value=true
-occ config:system:set redis host --value="/run/redis/redis.sock"
-occ config:system:set redis port --type=integer --value=0
+occ config:system:set redis host --value="127.0.0.1"
+occ config:system:set redis port --type=integer --value=6379

-# Sensible extras
 occ config:system:set default_phone_region --value="US" || true
 occ config:system:set maintenance_window_start --type=integer --value=1 || true

-log "Enabling system cron"
+log "Enabling cron"

 systemctl enable --now nextcloud-cron.service || true
-systemctl list-timers --all | grep -i nextcloud || true

 log "Final service restarts"

@ -410,12 +401,6 @@ systemctl --no-pager --full status valkey | sed -n '1,12p' || true
 systemctl --no-pager --full status php-fpm-legacy | sed -n '1,12p' || true
 systemctl --no-pager --full status httpd | sed -n '1,12p' || true

-if [[ -S /run/redis/redis.sock ]]; then
-  ls -l /run/redis/redis.sock
-else
-  echo "WARNING: /run/redis/redis.sock not found"
-fi
-
 echo
 echo "=============================================="
 echo "Nextcloud install completed."
@ -424,10 +409,10 @@ echo "Admin user: ${NC_ADMIN_USER}"
 echo "Data dir: ${NEXTCLOUD_DATA_DIR}"
 echo "Web root: ${NEXTCLOUD_WEBROOT}"
 echo "Config dir: ${NEXTCLOUD_CONFIG_DIR}"
+echo "Valkey: 127.0.0.1:6379"
 echo "=============================================="
 echo
 echo "IMPORTANT:"
-echo "1) This script sets up HTTP only."
-echo "2) Put TLS in front of it or add an HTTPS vhost."
-echo "3) If you use a reverse proxy, update overwritehost/overwriteprotocol."
-echo
+echo "1) This sets up HTTP only."
+echo "2) Add TLS separately or put it behind a reverse proxy."
+echo "3) Edit the variables at the top before running."