Make templating safer and more verbose (#1343)

* letsencrypt: fix active status check

Signed-off-by: nachoparker <nacho@ownyourbits.com>

* letsencrypt: take into account duplicate domains ending in -0001

Signed-off-by: nachoparker <nacho@ownyourbits.com>

* letsencrypt: fix renewal with httpsonly enabled

Signed-off-by: nachoparker <nacho@ownyourbits.com>

* fix inverted template logic for docker

Signed-off-by: nachoparker <nacho@ownyourbits.com>

* library.sh: Move templating to separate function

- Backup old file before templating (and restore on failure)
- Use stderr in the template for debug/info output

Signed-off-by: Tobias K <6317548+theCalcaholic@users.noreply.github.com>

* library.sh: Fix syntax error

Signed-off-by: Tobias K <6317548+theCalcaholic@users.noreply.github.com>

* library.sh: Only fallback to default config if explicitly allowed

Signed-off-by: Tobias K <6317548+theCalcaholic@users.noreply.github.com>

* letsencrypt.sh: Set cert-name

Signed-off-by: Tobias K <6317548+theCalcaholic@users.noreply.github.com>

* nextcloud.conf.sh: Use certificate named ncp-nextcloud if available

Signed-off-by: Tobias K <6317548+theCalcaholic@users.noreply.github.com>

* letsencrypt.sh: Support multiple, comma separated domains in field "OTHER_DOMAIN"

Signed-off-by: Tobias K <6317548+theCalcaholic@users.noreply.github.com>

* nextcloud.conf.sh: Fix path resolution for certificates

Signed-off-by: Tobias K <6317548+theCalcaholic@users.noreply.github.com>

* letsencrypt.sh: Improve warning about max trusted domains reached

Signed-off-by: Tobias K <6317548+theCalcaholic@users.noreply.github.com>

* letsencrypt.sh: Fix max trusted domains check

Signed-off-by: Tobias K <6317548+theCalcaholic@users.noreply.github.com>

* letsencrypt.sh: Fix splitting of domain string by comma

Signed-off-by: Tobias K <6317548+theCalcaholic@users.noreply.github.com>

* letsencrypt.sh: Fix splitting of domain string to array

Signed-off-by: Tobias K <6317548+theCalcaholic@users.noreply.github.com>

* adjustments for docker/lxc

Signed-off-by: nachoparker <nacho@ownyourbits.com>

Co-authored-by: nachoparker <nacho@ownyourbits.com>

Author: theCalcaholic

bin/ncp/CONFIG/nc-nextcloud.sh

@@ -181,12 +181,9 @@ EOF
 
 ## SET APACHE VHOST
   echo "Setting up Apache..."
-  bash /usr/local/etc/ncp-templates/nextcloud.conf.sh > /etc/apache2/sites-available/nextcloud.conf || {
-    echo "ERROR: An error occured while generating the nextcloud apache2 config. Attempting safe mode..."
-    bash /usr/local/etc/ncp-templates/nextcloud.conf.sh --defaults > /etc/apache2/sites-available/nextcloud.conf || {
-      echo "ERROR: Safe mode templating failed as well. Nextcloud will not work."
+  install_template nextcloud.conf.sh /etc/apache2/sites-available/nextcloud.conf --allow-fallback || {
+      echo "ERROR: Parsing template failed. Nextcloud will not work."
       exit 1
-    }
   }
   a2ensite nextcloud
 

bin/ncp/NETWORKING/letsencrypt.sh

@@ -57,24 +57,30 @@ configure()
     rm -f /etc/cron.weekly/letsencrypt-ncp
     rm -f /etc/letsencrypt/renewal-hooks/deploy/ncp
     [[ "$DOCKERBUILD" == 1 ]] && update-rc.d letsencrypt disable
-    bash /usr/local/etc/ncp-templates/nextcloud.conf.sh > ${nc_vhostcfg}
+    install_template nextcloud.conf.sh "${nc_vhostcfg}"
     echo "letsencrypt certificates disabled. Using self-signed certificates instead."
     exit 0
   }
   local DOMAIN_LOWERCASE="${DOMAIN,,}"
+  local OTHER_DOMAINS_ARRAY
 
   [[ "$DOMAIN" == "" ]] && { echo "empty domain"; return 1; }
 
+  local IFS_BK="$IFS"
+  IFS=",$IFS" OTHER_DOMAINS_ARRAY=(${OTHER_DOMAIN})
+  IFS="$IFS_BK"
+
   # Do it
   local domain_string=""
-  for domain in $DOMAIN $OTHER_DOMAIN; do
+  for domain in $DOMAIN "${OTHER_DOMAINS_ARRAY[@]}"; do
     [[ "$domain" != "" ]] && {
       [[ $domain_string == "" ]] && \
         domain_string+="${domain}" || \
         domain_string+=",${domain}"
     }
   done
-  "${letsencrypt}" certonly -n --force-renew --no-self-upgrade --webroot -w "${ncdir}" --hsts --agree-tos -m "${EMAIL}" -d "${domain_string}" && {
+  "${letsencrypt}" certonly -n --force-renew --cert-name ncp-nextcloud --no-self-upgrade --webroot -w "${ncdir}" \
+    --hsts --agree-tos -m "${EMAIL}" -d "${domain_string}" && {
 
     # Set up auto-renewal
     cat > /etc/cron.weekly/letsencrypt-ncp <<EOF
@@ -106,15 +112,20 @@ EOF
     chmod +x /etc/letsencrypt/renewal-hooks/deploy/ncp
 
     # Configure Apache
-    bash /usr/local/etc/ncp-templates/nextcloud.conf.sh > ${nc_vhostcfg}
+    install_template nextcloud.conf.sh "${nc_vhostcfg}"
     sed -i "s|SSLCertificateFile.*|SSLCertificateFile /etc/letsencrypt/live/$DOMAIN_LOWERCASE/fullchain.pem|" $vhostcfg2
     sed -i "s|SSLCertificateKeyFile.*|SSLCertificateKeyFile /etc/letsencrypt/live/$DOMAIN_LOWERCASE/privkey.pem|" $vhostcfg2
 
     # Configure Nextcloud
     local domain_index="${TRUSTED_DOMAINS[letsencrypt_1]}"
-    for dom in $DOMAIN $OTHER_DOMAIN; do
+    for dom in $DOMAIN "${OTHER_DOMAINS_ARRAY[@]}"; do
       [[ "$dom" != "" ]] && {
-        ncc config:system:set trusted_domains $domain_index --value=$dom
+        [[ $domain_index -lt 20 ]] || {
+          echo "WARN: $dom will not be included in trusted domains for Nextcloud (maximum reached)." \
+            "It will still be included in the SSL certificate"
+          continue
+        }
+        ncc config:system:set trusted_domains "$domain_index" --value="$dom"
         ((domain_index++))
       }
     done

bin/ncp/SYSTEM/metrics.sh

@@ -35,7 +35,7 @@ configure() {
 
   if [[ "$ACTIVE" != yes ]]
   then
-    bash /usr/local/etc/ncp-templates/nextcloud.conf.sh --defaults > /etc/apache2/sites-available/nextcloud.conf
+    install_template nextcloud.conf.sh /etc/apache2/sites-available/nextcloud.conf
 
     systemctl disable prometheus-node-exporter
     service prometheus-node-exporter stop
@@ -59,9 +59,8 @@ configure() {
     rm -f "${htpasswd_file}"
     echo "$PASSWORD" | htpasswd -ciB "${htpasswd_file}" "$USER"
 
-    bash /usr/local/etc/ncp-templates/nextcloud.conf.sh > /etc/apache2/sites-available/nextcloud.conf || {
-      echo "An unexpected error occurred while configuring apache. Rolling back..." >&2
-      bash /usr/local/etc/ncp-templates/nextcloud.conf.sh --defaults > /etc/apache2/sites-available/nextcloud.conf
+    install_template nextcloud.conf.sh /etc/apache2/sites-available/nextcloud.conf || {
+      echo "ERROR while generating nextcloud.conf! Exiting..."
       return 1
     }
 

changelog.md

@@ -1,7 +1,11 @@
 
-[v1.40.2](https://github.com/nextcloud/nextcloudpi/commit/fc3f978) (2021-10-05) nc-update-nc: BTRFS support
+[v1.40.4](https://github.com/nextcloud/nextcloudpi/commit/9fa18af) (2021-10-06) Make templating safer and more verbose (#1343)
 
-[v1.40.1](https://github.com/nextcloud/nextcloudpi/commit/7c361c5) (2021-10-05) update: improve check for apt (#1356)
+[v1.40.3 ](https://github.com/nextcloud/nextcloudpi/commit/8a6c1c0) (2021-10-06) ncp-check-nc-version: dont notify the same version more than once
+
+[v1.40.2 ](https://github.com/nextcloud/nextcloudpi/commit/ea1e00c) (2021-10-05) nc-update-nc: BTRFS support
+
+[v1.40.1 ](https://github.com/nextcloud/nextcloudpi/commit/7c361c5) (2021-10-05) update: improve check for apt (#1356)
 
 [v1.40.0 ](https://github.com/nextcloud/nextcloudpi/commit/a0728d7) (2021-10-04) nc-notify-updates: notify of new supported NC versions
 

etc/library.sh

@@ -183,6 +183,29 @@ function find_app_param_num()
 
 }
 
+install_template() {
+  local template="${1?}"
+  local target="${2?}"
+  local bkp="$(mktemp)"
+  [[ -f "$target" ]] && cp -a "$target" "$bkp"
+  {
+    if [[ "$3" == "--defaults" ]]; then
+      { bash "/usr/local/etc/ncp-templates/$template" --defaults > "$target"; } 2>&1
+    else
+      { bash "/usr/local/etc/ncp-templates/$template" > "$target"; } 2>&1 || \
+      {
+        [[ "$3" == "--allow-fallback" ]] && \
+        { bash "/usr/local/etc/ncp-templates/$template" --defaults > "$target"; } 2>&1
+      }
+    fi
+  } || {
+    echo "ERROR: Could not generate $target from template $template. Rolling back..."
+    mv "$bkp" "$target"
+    return 1
+  }
+  rm "$bkp"
+}
+
 find_app_param()
 {
   local script="${1?}"

etc/ncp-templates/nextcloud.conf.sh

@@ -3,6 +3,9 @@
 set -e
 source /usr/local/etc/library.sh
 
+[[ "$1" != "--defaults" ]] || echo "INFO: Restoring template to default settings" >&2
+[[ ! -f /.docker-image ]]  || echo "INFO: Docker installation detected" >&2
+
 if [[ "$1" != "--defaults" ]]; then
   LETSENCRYPT_DOMAIN="$(
     # force defaults during initial build
@@ -13,7 +16,10 @@ if [[ "$1" != "--defaults" ]]; then
   )"
 fi
 
-if ! [[ -f /.ncp-image ]] && [[ "$1" != "--defaults" ]]; then
+[[ -z "$LETSENCRYPT_DOMAIN" ]] || echo "INFO: Letsencrypt domain is ${LETSENCRYPT_DOMAIN}" >&2
+
+# skip during build
+if ! [[ -f /.ncp-image ]] && [[ "$1" != "--defaults" ]] && [[ -f "${BINDIR}/SYSTEM/metrics.sh" ]]; then
   METRICS_IS_ENABLED="$(
   source "${BINDIR}/SYSTEM/metrics.sh"
   tmpl_metrics_enabled && echo yes || echo no
@@ -22,6 +28,8 @@ else
   METRICS_IS_ENABLED=no
 fi
 
+echo "INFO: Metrics enabled: ${METRICS_IS_ENABLED}" >&2
+
 echo "### DO NOT EDIT! THIS FILE HAS BEEN AUTOMATICALLY GENERATED. CHANGES WILL BE OVERWRITTEN ###"
 echo ""