RomanNum3ral
/
nextcloud-install
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
nextcloud-install/arch_install.sh

433 lines
13 KiB
Bash
Raw Blame History

#!/usr/bin/env bash
set -Eeuo pipefail
########################################
# USER CONFIG
########################################
# Site / domain
NEXTCLOUD_DOMAIN="cloud.example.com"
TRUSTED_DOMAINS=("cloud.example.com" "192.168.1.10")
# Paths
NEXTCLOUD_WEBROOT="/usr/share/webapps/nextcloud"
NEXTCLOUD_CONFIG_DIR="/etc/webapps/nextcloud"
NEXTCLOUD_DATA_DIR="/var/lib/nextcloud/data"
# Database
DB_NAME="nextcloud"
DB_USER="nextcloud"
DB_PASS="CHANGE_ME_DB_PASSWORD"
# Nextcloud admin user
NC_ADMIN_USER="admin"
NC_ADMIN_PASS="CHANGE_ME_ADMIN_PASSWORD"
# PHP / timezone
PHP_MEMORY_LIMIT="1024M"
PHP_UPLOAD_LIMIT="16G"
PHP_MAX_EXECUTION_TIME="3600"
PHP_TIMEZONE="America/New_York"
# Apache
APACHE_RUN_USER="http"
APACHE_RUN_GROUP="http"
# HTTPS note:
# This script configures HTTP on port 80 only.
# Put it behind your TLS reverse proxy or add your cert/vhost later.
# SMB external storage mount (optional)
ENABLE_SMB_MOUNT="false"
SMB_REMOTE="//server/share"
SMB_MOUNTPOINT="/mnt/nextcloud"
SMB_CREDENTIALS_FILE="/root/.smbcredentials"
# If ENABLE_SMB_MOUNT=true, this gets added to /etc/fstab
# Arch uses user/group "http", not "www-data"
SMB_FSTAB_OPTIONS="rw,credentials=${SMB_CREDENTIALS_FILE},uid=http,gid=http,iocharset=utf8,file_mode=0770,dir_mode=0770,noserverino,nounix,_netdev,x-systemd.automount"
########################################
# INTERNALS
########################################
PHP_INI="/etc/php-legacy/php.ini"
PHP_FPM_POOL_CONF="/etc/php-legacy/php-fpm.d/www.conf"
HTTPD_CONF="/etc/httpd/conf/httpd.conf"
HTTPD_NEXTCLOUD_CONF="/etc/httpd/conf/extra/nextcloud.conf"
HTTPD_WELLKNOWN_CONF="/etc/httpd/conf/extra/nextcloud-wellknown.conf"
VALKEY_CONF="/etc/valkey/valkey.conf"
MYSQL_SOCKET="/run/mysqld/mysqld.sock"
log() {
echo
echo "==== $* ===="
}
die() {
echo "ERROR: $*" >&2
exit 1
}
require_root() {
[[ "${EUID}" -eq 0 ]] || die "Run this script as root."
}
backup_file() {
local f="$1"
[[ -f "$f" ]] && cp -an "$f" "${f}.bak.$(date +%F-%H%M%S)" || true
}
replace_or_append_ini() {
local key="$1"
local value="$2"
local file="$3"
if grep -Eq "^[;[:space:]]*${key}[[:space:]]*=" "$file"; then
sed -ri "s|^[;[:space:]]*${key}[[:space:]]*=.*|${key} = ${value}|g" "$file"
else
echo "${key} = ${value}" >> "$file"
fi
}
ensure_line() {
local line="$1"
local file="$2"
grep -Fqx "$line" "$file" || echo "$line" >> "$file"
}
random_secret() {
tr -dc 'A-Za-z0-9!@#%^*_+=' < /dev/urandom | head -c 32
}
occ() {
sudo -u "${APACHE_RUN_USER}" php-legacy "${NEXTCLOUD_WEBROOT}/occ" "$@"
}
########################################
# START
########################################
require_root
log "Validating variables"
[[ "${NEXTCLOUD_DOMAIN}" != "cloud.example.com" ]] || echo "WARNING: NEXTCLOUD_DOMAIN still set to default example value."
[[ "${DB_PASS}" != "CHANGE_ME_DB_PASSWORD" ]] || die "Set DB_PASS at the top of the script."
[[ "${NC_ADMIN_PASS}" != "CHANGE_ME_ADMIN_PASSWORD" ]] || die "Set NC_ADMIN_PASS at the top of the script."
if [[ "${ENABLE_SMB_MOUNT}" == "true" ]]; then
[[ -f "${SMB_CREDENTIALS_FILE}" ]] || die "ENABLE_SMB_MOUNT=true but credentials file ${SMB_CREDENTIALS_FILE} does not exist."
fi
log "Installing packages"
pacman -Syu --noconfirm
pacman -S --needed --noconfirm \
apache \
mariadb \
nextcloud \
php-legacy \
php-legacy-fpm \
php-legacy-gd \
php-legacy-apcu \
php-legacy-redis \
php-legacy-intl \
php-legacy-sodium \
valkey \
cifs-utils \
smbclient \
curl \
sudo \
unzip \
bzip2 \
tar
log "Creating base directories"
mkdir -p "${NEXTCLOUD_DATA_DIR}"
chown -R "${APACHE_RUN_USER}:${APACHE_RUN_GROUP}" /var/lib/nextcloud
chmod 0750 /var/lib/nextcloud
chmod 0750 "${NEXTCLOUD_DATA_DIR}"
mkdir -p /var/log/httpd
mkdir -p /run/httpd
log "Initializing and configuring MariaDB"
if [[ ! -d /var/lib/mysql/mysql ]]; then
mariadb-install-db --user=mysql --basedir=/usr --datadir=/var/lib/mysql
fi
systemctl enable --now mariadb
# Wait for MariaDB
for _ in {1..30}; do
if mariadb-admin ping >/dev/null 2>&1; then
break
fi
sleep 1
done
mariadb-admin ping >/dev/null 2>&1 || die "MariaDB did not come up."
# Secure-ish local MariaDB setup and create DB/user
mariadb <<SQL
CREATE DATABASE IF NOT EXISTS \`${DB_NAME}\`
CHARACTER SET utf8mb4
COLLATE utf8mb4_general_ci;
CREATE USER IF NOT EXISTS '${DB_USER}'@'localhost' IDENTIFIED BY '${DB_PASS}';
ALTER USER '${DB_USER}'@'localhost' IDENTIFIED BY '${DB_PASS}';
GRANT ALL PRIVILEGES ON \`${DB_NAME}\`.* TO '${DB_USER}'@'localhost';
FLUSH PRIVILEGES;
DELETE FROM mysql.user WHERE User='';
DROP DATABASE IF EXISTS test;
DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';
FLUSH PRIVILEGES;
SQL
log "Configuring PHP legacy stack"
backup_file "${PHP_INI}"
backup_file "${PHP_FPM_POOL_CONF}"
replace_or_append_ini "memory_limit" "${PHP_MEMORY_LIMIT}" "${PHP_INI}"
replace_or_append_ini "upload_max_filesize" "${PHP_UPLOAD_LIMIT}" "${PHP_INI}"
replace_or_append_ini "post_max_size" "${PHP_UPLOAD_LIMIT}" "${PHP_INI}"
replace_or_append_ini "max_execution_time" "${PHP_MAX_EXECUTION_TIME}" "${PHP_INI}"
replace_or_append_ini "max_input_time" "${PHP_MAX_EXECUTION_TIME}" "${PHP_INI}"
replace_or_append_ini "output_buffering" "Off" "${PHP_INI}"
replace_or_append_ini "date.timezone" "${PHP_TIMEZONE}" "${PHP_INI}"
replace_or_append_ini "cgi.fix_pathinfo" "0" "${PHP_INI}"
# FPM pool/socket for Apache proxy_fcgi
sed -ri 's|^user\s*=.*|user = http|g' "${PHP_FPM_POOL_CONF}"
sed -ri 's|^group\s*=.*|group = http|g' "${PHP_FPM_POOL_CONF}"
if grep -Eq '^[;[:space:]]*listen\s*=' "${PHP_FPM_POOL_CONF}"; then
sed -ri 's|^[;[:space:]]*listen\s*=.*|listen = /run/php-fpm-legacy/php-fpm.sock|g' "${PHP_FPM_POOL_CONF}"
else
echo "listen = /run/php-fpm-legacy/php-fpm.sock" >> "${PHP_FPM_POOL_CONF}"
fi
if grep -Eq '^[;[:space:]]*listen.owner\s*=' "${PHP_FPM_POOL_CONF}"; then
sed -ri 's|^[;[:space:]]*listen.owner\s*=.*|listen.owner = http|g' "${PHP_FPM_POOL_CONF}"
else
echo "listen.owner = http" >> "${PHP_FPM_POOL_CONF}"
fi
if grep -Eq '^[;[:space:]]*listen.group\s*=' "${PHP_FPM_POOL_CONF}"; then
sed -ri 's|^[;[:space:]]*listen.group\s*=.*|listen.group = http|g' "${PHP_FPM_POOL_CONF}"
else
echo "listen.group = http" >> "${PHP_FPM_POOL_CONF}"
fi
if grep -Eq '^[;[:space:]]*listen.mode\s*=' "${PHP_FPM_POOL_CONF}"; then
sed -ri 's|^[;[:space:]]*listen.mode\s*=.*|listen.mode = 0660|g' "${PHP_FPM_POOL_CONF}"
else
echo "listen.mode = 0660" >> "${PHP_FPM_POOL_CONF}"
fi
systemctl enable --now php-fpm-legacy
log "Configuring Valkey"
backup_file "${VALKEY_CONF}"
sed -ri \
-e 's|^#?\s*port\s+.*|port 0|g' \
-e 's|^#?\s*unixsocket\s+.*|unixsocket /run/redis/redis.sock|g' \
-e 's|^#?\s*unixsocketperm\s+.*|unixsocketperm 770|g' \
-e 's|^#?\s*supervised\s+.*|supervised systemd|g' \
"${VALKEY_CONF}"
# Make sure the web user can access the socket
if getent group valkey >/dev/null 2>&1; then
usermod -aG valkey "${APACHE_RUN_USER}" || true
fi
systemctl enable --now valkey
systemctl restart valkey
systemctl restart php-fpm-legacy
log "Configuring Apache"
backup_file "${HTTPD_CONF}"
# Ensure useful modules are enabled
sed -ri 's|^#(LoadModule mpm_event_module modules/mod_mpm_event.so)|\1|g' "${HTTPD_CONF}"
sed -ri 's|^#(LoadModule rewrite_module modules/mod_rewrite.so)|\1|g' "${HTTPD_CONF}"
sed -ri 's|^#(LoadModule headers_module modules/mod_headers.so)|\1|g' "${HTTPD_CONF}"
sed -ri 's|^#(LoadModule env_module modules/mod_env.so)|\1|g' "${HTTPD_CONF}"
sed -ri 's|^#(LoadModule dir_module modules/mod_dir.so)|\1|g' "${HTTPD_CONF}"
sed -ri 's|^#(LoadModule mime_module modules/mod_mime.so)|\1|g' "${HTTPD_CONF}"
sed -ri 's|^#(LoadModule alias_module modules/mod_alias.so)|\1|g' "${HTTPD_CONF}"
sed -ri 's|^#(LoadModule setenvif_module modules/mod_setenvif.so)|\1|g' "${HTTPD_CONF}"
sed -ri 's|^#(LoadModule proxy_module modules/mod_proxy.so)|\1|g' "${HTTPD_CONF}"
sed -ri 's|^#(LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so)|\1|g' "${HTTPD_CONF}"
# Keep ServerName quiet
if grep -Eq '^[#[:space:]]*ServerName ' "${HTTPD_CONF}"; then
sed -ri "s|^[#[:space:]]*ServerName .*|ServerName ${NEXTCLOUD_DOMAIN}:80|g" "${HTTPD_CONF}"
else
echo "ServerName ${NEXTCLOUD_DOMAIN}:80" >> "${HTTPD_CONF}"
fi
cat > "${HTTPD_WELLKNOWN_CONF}" <<'EOF'
Alias /.well-known/carddav /nextcloud/remote.php/dav/
Alias /.well-known/caldav /nextcloud/remote.php/dav/
EOF
cat > "${HTTPD_NEXTCLOUD_CONF}" <<EOF
Alias /nextcloud "${NEXTCLOUD_WEBROOT}"
<Directory "${NEXTCLOUD_WEBROOT}">
Options FollowSymLinks MultiViews
AllowOverride All
Require all granted
<IfModule mod_dav.c>
Dav off
</IfModule>
SetEnv HOME ${NEXTCLOUD_CONFIG_DIR}
SetEnv HTTP_HOME ${NEXTCLOUD_CONFIG_DIR}
</Directory>
<FilesMatch \.php$>
SetHandler "proxy:unix:/run/php-fpm-legacy/php-fpm.sock|fcgi://localhost/"
</FilesMatch>
<IfModule mod_headers.c>
Header always set Referrer-Policy "no-referrer"
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Permitted-Cross-Domain-Policies "none"
Header always set X-Robots-Tag "noindex, nofollow"
Header always set X-XSS-Protection "1; mode=block"
</IfModule>
# Deny access to sensitive paths
<Directory "${NEXTCLOUD_WEBROOT}/config">
Require all denied
</Directory>
<Directory "${NEXTCLOUD_WEBROOT}/data">
Require all denied
</Directory>
EOF
ensure_line "Include conf/extra/nextcloud-wellknown.conf" "${HTTPD_CONF}"
ensure_line "Include conf/extra/nextcloud.conf" "${HTTPD_CONF}"
apachectl configtest || die "Apache config test failed."
systemctl enable --now httpd
log "Preparing Nextcloud config and permissions"
mkdir -p "${NEXTCLOUD_CONFIG_DIR}/config"
mkdir -p "${NEXTCLOUD_CONFIG_DIR}/apps"
mkdir -p "${NEXTCLOUD_CONFIG_DIR}/data"
chown -R "${APACHE_RUN_USER}:${APACHE_RUN_GROUP}" "${NEXTCLOUD_CONFIG_DIR}"
chmod 0750 "${NEXTCLOUD_CONFIG_DIR}"
chmod 0750 "${NEXTCLOUD_CONFIG_DIR}/config"
# Ensure package config dir is owned correctly
chown -R "${APACHE_RUN_USER}:${APACHE_RUN_GROUP}" /etc/webapps/nextcloud
chmod 0750 /etc/webapps/nextcloud
chmod 0640 /etc/webapps/nextcloud/config/config.php || true
# Data dir ownership
chown -R "${APACHE_RUN_USER}:${APACHE_RUN_GROUP}" "${NEXTCLOUD_DATA_DIR}"
find "${NEXTCLOUD_DATA_DIR}" -type d -exec chmod 0750 {} \;
find "${NEXTCLOUD_DATA_DIR}" -type f -exec chmod 0640 {} \; 2>/dev/null || true
log "Optional SMB mount setup"
if [[ "${ENABLE_SMB_MOUNT}" == "true" ]]; then
mkdir -p "${SMB_MOUNTPOINT}"
if ! grep -Fq "${SMB_MOUNTPOINT} " /etc/fstab; then
echo "${SMB_REMOTE} ${SMB_MOUNTPOINT} cifs ${SMB_FSTAB_OPTIONS} 0 0" >> /etc/fstab
fi
mount -a
chown "${APACHE_RUN_USER}:${APACHE_RUN_GROUP}" "${SMB_MOUNTPOINT}" || true
fi
log "Installing Nextcloud non-interactively"
if [[ ! -f "${NEXTCLOUD_CONFIG_DIR}/config/config.php" ]] || grep -q "CAN_INSTALL" "${NEXTCLOUD_CONFIG_DIR}/config/config.php" 2>/dev/null; then
sudo -u "${APACHE_RUN_USER}" php-legacy "${NEXTCLOUD_WEBROOT}/occ" maintenance:install \
--database "mysql" \
--database-name "${DB_NAME}" \
--database-user "${DB_USER}" \
--database-pass "${DB_PASS}" \
--admin-user "${NC_ADMIN_USER}" \
--admin-pass "${NC_ADMIN_PASS}" \
--data-dir "${NEXTCLOUD_DATA_DIR}"
fi
log "Applying Nextcloud config"
occ config:system:set trusted_domains 0 --value="${TRUSTED_DOMAINS[0]}"
for i in "${!TRUSTED_DOMAINS[@]}"; do
occ config:system:set trusted_domains "${i}" --value="${TRUSTED_DOMAINS[$i]}"
done
occ config:system:set overwrite.cli.url --value="http://${NEXTCLOUD_DOMAIN}/nextcloud"
occ config:system:set htaccess.RewriteBase --value="/nextcloud"
occ maintenance:update:htaccess
occ config:system:set memcache.local --value='\OC\Memcache\APCu'
occ config:system:set memcache.locking --value='\OC\Memcache\Redis'
occ config:system:set filelocking.enabled --type=boolean --value=true
occ config:system:set redis host --value="/run/redis/redis.sock"
occ config:system:set redis port --type=integer --value=0
# Sensible extras
occ config:system:set default_phone_region --value="US" || true
occ config:system:set maintenance_window_start --type=integer --value=1 || true
log "Enabling system cron"
systemctl enable --now nextcloud-cron.service || true
systemctl list-timers --all | grep -i nextcloud || true
log "Final service restarts"
systemctl restart mariadb
systemctl restart valkey
systemctl restart php-fpm-legacy
systemctl restart httpd
log "Post-install checks"
apachectl configtest
systemctl --no-pager --full status mariadb | sed -n '1,12p' || true
systemctl --no-pager --full status valkey | sed -n '1,12p' || true
systemctl --no-pager --full status php-fpm-legacy | sed -n '1,12p' || true
systemctl --no-pager --full status httpd | sed -n '1,12p' || true
if [[ -S /run/redis/redis.sock ]]; then
ls -l /run/redis/redis.sock
else
echo "WARNING: /run/redis/redis.sock not found"
fi
echo
echo "=============================================="
echo "Nextcloud install completed."
echo "URL: http://${NEXTCLOUD_DOMAIN}/nextcloud"
echo "Admin user: ${NC_ADMIN_USER}"
echo "Data dir: ${NEXTCLOUD_DATA_DIR}"
echo "Web root: ${NEXTCLOUD_WEBROOT}"
echo "Config dir: ${NEXTCLOUD_CONFIG_DIR}"
echo "=============================================="
echo
echo "IMPORTANT:"
echo "1) This script sets up HTTP only."
echo "2) Put TLS in front of it or add an HTTPS vhost."
echo "3) If you use a reverse proxy, update overwritehost/overwriteprotocol."
echo
Reference in New Issue View Git Blame Copy Permalink