Consolidations script 1 and 2

install-nextcloud.sh

@@ -24,6 +24,13 @@ function restart_all_services() {
 /usr/sbin/service redis-server restart
 /usr/sbin/service php7.2-fpm restart
 }
+###global function to scan Nextcloud data and generate an overview for fail2ban & ufw
+function nextcloud_scan_data() {
+sudo -u www-data php /var/www/nextcloud/occ files:scan --all
+sudo -u www-data php /var/www/nextcloud/occ files:scan-app-data
+fail2ban-client status nextcloud
+ufw status verbose
+}
 cd /usr/local/src
 update_and_clean
 ###prepare the server environment
@@ -215,19 +222,19 @@ innodb_file_format=barracuda
 innodb_file_per_table=1
 EOF
 clear
-echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
-echo "The Nextcloud-DB username and the Nextcloud-DB password - Attention: case-sensitive:"
-echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
-echo "Keep both in mind - you will be asked for while finishing the Nextcloud-Wizard!"
-echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
+echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
+echo "The Nextcloud-DB username and password - Attention: password is case-sensitive:"
+echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
 echo ""
 read -p "Nextcloud DB-Username: " NEXTCLOUDDBUSER
+echo ""
 echo "Your Nextcloud-DB user: "$NEXTCLOUDDBUSER
 echo ""
 read -p "Nextcloud DB-Password: " NEXTCLOUDDBPASSWORD
+echo ""
 echo "Your Nextcloud-DB password: "$NEXTCLOUDDBPASSWORD
 echo ""
-echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
+echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
 echo ""
 ###restart MariaDB server andconnect to MariaDB
 service mysql restart && mysql -uroot <<EOF
@@ -424,9 +431,9 @@ rm latest.tar.bz2
 update_and_clean
 restart_all_services
 clear
-echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
-echo "The Nextcloud-Administrator and Password - Attention: password is case-sensitive:"
-echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
+echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
+echo "Nextcloud-Administrator and password - Attention: password is case-sensitive:"
+echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
 echo ""
 echo "Your Nextcloud-DB user: "$NEXTCLOUDDBUSER
 echo ""
@@ -438,20 +445,131 @@ echo ""
 read -p "Enter your Nextcloud Administrator password: " NEXTCLOUDADMINUSERPASSWORD
 echo "Your Nextcloud Administrator password: "$NEXTCLOUDADMINUSERPASSWORD
 echo ""
-echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
+echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
+echo ""
+echo "Your NEXTCLOUD will now be installed silently - please be patient ..."
 echo ""
-echo " NEXTCLOUD will now be installed silently - be patient ..."
 sudo -u www-data php /var/www/nextcloud/occ maintenance:install --database "mysql" --database-name "nextcloud"  --database-user "$NEXTCLOUDDBUSER" --database-pass "$NEXTCLOUDDBPASSWORD" --admin-user "$NEXTCLOUDADMINUSER" --admin-pass "$NEXTCLOUDADMINUSERPASSWORD" --data-dir "/var/nc_data"
 declare -l YOURSERVERNAME
-###read the current hostname
+###read and store the current hostname in lowercases
 YOURSERVERNAME=$(hostname)
 sudo -u www-data cp /var/www/nextcloud/config/config.php /var/www/nextcloud/config/config.php.bak
 sudo -u www-data php /var/www/nextcloud/occ config:system:set trusted_domains 0 --value=$YOURSERVERNAME
 sudo -u www-data sed -in 's/http:\/\/localhost/https:\/\/'$YOURSERVERNAME'/' /var/www/nextcloud/config/config.php
+echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
+###backup of the effected file .user.ini
+cp /var/www/nextcloud/.user.ini /var/www/nextcloud/.user.ini.bak
+###apply Nextcloud optimizations
+sudo -u www-data sed -i "s/upload_max_filesize=.*/upload_max_filesize=10240M/" /var/www/nextcloud/.user.ini
+sudo -u www-data sed -i "s/post_max_size=.*/post_max_size=10240M/" /var/www/nextcloud/.user.ini
+sudo -u www-data sed -i "s/output_buffering=.*/output_buffering='Off'/" /var/www/nextcloud/.user.ini
+sudo -u www-data cp /var/www/nextcloud/config/config.php /var/www/nextcloud/config/config.php.bak
+sudo -u www-data php /var/www/nextcloud/occ background:cron
+###apply optimizations to Nextclouds global config.php
+sed -i '/);/d' /var/www/nextcloud/config/config.php
+cat <<EOF >>/var/www/nextcloud/config/config.php
+'activity_expire_days' => 14,
+'auth.bruteforce.protection.enabled' => true,
+'blacklisted_files' =>
+array (
+0 => '.htaccess',
+1 => 'Thumbs.db',
+2 => 'thumbs.db',
+),
+'cron_log' => true,
+'enable_previews' => true,
+'enabledPreviewProviders' =>
+array (
+0 => 'OC\\Preview\\PNG',
+1 => 'OC\\Preview\\JPEG',
+2 => 'OC\\Preview\\GIF',
+3 => 'OC\\Preview\\BMP',
+4 => 'OC\\Preview\\XBitmap',
+5 => 'OC\\Preview\\Movie',
+6 => 'OC\\Preview\\PDF',
+7 => 'OC\\Preview\\MP3',
+8 => 'OC\\Preview\\TXT',
+9 => 'OC\\Preview\\MarkDown',
+),
+'filesystem_check_changes' => 0,
+'filelocking.enabled' => 'true',
+'htaccess.RewriteBase' => '/',
+'integrity.check.disabled' => false,
+'knowledgebaseenabled' => false,
+'logtimezone' => 'Europe/Berlin',
+'log_rotate_size' => 104857600,
+'memcache.local' => '\\OC\\Memcache\\APCu',
+'memcache.locking' => '\\OC\\Memcache\\Redis',
+'preview_max_x' => 1024,
+'preview_max_y' => 768,
+'preview_max_scale_factor' => 1,
+'redis' =>
+array (
+'host' => '/var/run/redis/redis.sock',
+'port' => 0,
+'timeout' => 0.0,
+),
+'quota_include_external_storage' => false,
+'share_folder' => '/Shares',
+'skeletondirectory' => '',
+'trashbin_retention_obligation' => 'auto, 7',
+);
+EOF
+###remove leading whitespaces
+sed -i 's/^[ ]*//' /var/www/nextcloud/config/config.php
+restart_all_services
+update_and_clean
+###installfail2ban
+apt install fail2ban -y
+###create a fail2ban Nextcloud filter 
+touch /etc/fail2ban/filter.d/nextcloud.conf
+cat <<EOF >/etc/fail2ban/filter.d/nextcloud.conf
+[Definition]
+failregex=^{"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"}$
+            ^{"reqId":".*","level":2,"time":".*","remoteAddr":".*","app":"core".*","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)".*}$
+            ^.*\"remoteAddr\":\"<HOST>\".*Trusted domain error.*\$
+EOF
+###create a fail2ban Nextcloud jail
+touch /etc/fail2ban/jail.d/nextcloud.local
+cat <<EOF >/etc/fail2ban/jail.d/nextcloud.local
+[nextcloud]
+backend = auto
+enabled = true
+port = 80,443
+protocol = tcp
+filter = nextcloud
+maxretry = 3
+bantime = 36000
+findtime = 36000
+logpath = /var/nc_data/nextcloud.log
+EOF
+update_and_clean
+###install ufw
+apt install ufw -y
+###open firewall ports 80+443 for http(s)
+ufw allow 80/tcp
+ufw allow 443/tcp
+###open firewall port 22 for SSH
+ufw allow 22/tcp
+###enable UFW (autostart)
+ufw enable
+###restart fail2ban, ufw and redis-server services
+/usr/sbin/service ufw restart
+/usr/sbin/service fail2ban restart
+/usr/sbin/service redis-server restart
+###clean up redis-server
+redis-cli -s /var/run/redis/redis.sock <<EOF
+FLUSHALL
+quit
+EOF
+restart_all_services
+nextcloud_scan_data
 echo ""
-echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
+echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
 echo ""
-echo " Open your browser and call: https://$YOURSERVERNAME"
-echo""
-echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
+echo " Open your browser and call your Nextcloud at"
+echo ""
+echo " https://$YOURSERVERNAME"
+echo ""
+echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
 exit 0