-
Notifications
You must be signed in to change notification settings - Fork 9
Expand file tree
/
Copy pathnextcloud.sh
More file actions
267 lines (202 loc) · 5.76 KB
/
Copy pathnextcloud.sh
File metadata and controls
267 lines (202 loc) · 5.76 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
#!/bin/bash
set -xe
cd /
apt update
sed -i 's/#$nrconf{restart} = '"'"'i'"'"';/$nrconf{restart} = '"'"'a'"'"';/g' /etc/needrestart/needrestart.conf
apt install -y debian-keyring debian-archive-keyring
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
apt-get update
apt -y install python3-pip caddy
pip install gunicorn ifcfg flask flask_qrcode icmplib
git clone -b v3.1-dev https://github.com/donaldzou/WGDashboard.git wgdashboard
cd /wgdashboard/src
chmod u+x wgd.sh
./wgd.sh install
DEBIAN_FRONTEND=noninteractive sudo apt update && sudo apt install -y wireguard
export SERVER_NAME="serverwg"
export INTERFACE_WG="wg0"
sudo mkdir -p /etc/wireguard/keys;
wg genkey | sudo tee "/etc/wireguard/keys/${SERVER_NAME}.key" | \
wg pubkey | sudo tee "/etc/wireguard/keys/${SERVER_NAME}.key.pub";
echo y | ufw reset
echo
echo "CREATING THE SERVER CONFIG"
echo
DEFAULT_INTERFACE="$(ip -o -4 route show to default | awk '{print $5}')"
MAIN_IP="$(hostname -I | cut -d' ' -f1)"
PRIVATE_KEY=$(sudo cat /etc/wireguard/keys/${SERVER_NAME}.key)
PORT=$(shuf -i 52800-53000 -n1)
cat << EOF | sudo tee "/etc/wireguard/${INTERFACE_WG}.conf"
[Interface]
Address = 10.0.0.1/24
ListenPort = ${PORT}
PrivateKey = ${PRIVATE_KEY}
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ${DEFAULT_INTERFACE} -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ${DEFAULT_INTERFACE} -j MASQUERADE
SaveConfig = true
EOF
sudo chmod 600 "/etc/wireguard/${INTERFACE_WG}.conf" "/etc/wireguard/keys/${SERVER_NAME}.key"
echo
echo "ACTIVATING WIREGUARD SERVICE"
echo
sudo wg-quick up "${INTERFACE_WG}"
sudo wg show "${INTERFACE_WG}"
echo
echo "ENABLE WIREGUARD SERVICE AT BOOT"
echo
sudo systemctl enable wg-quick@wg0
echo
echo "SETTING UP IP FORWARDING"
echo
sudo sed -i 's/^#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf
sudo sysctl -p
echo
echo "ACTIVATING FIREWALL"
echo
sudo ufw allow 10086/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw allow ${PORT}/udp
sudo ufw allow 8443/tcp
sudo ufw allow 3478/tcp
sudo ufw allow 3478/udp
sudo ufw allow 22/tcp # might want to keep ssh open ;-)
echo y | ufw enable
#sudo ufw enable # this will prompt yes/no :(
sudo ufw status verbose
chmod -R 755 /etc/wireguard
cat << EOF | sudo tee "/etc/systemd/system/wg-dash.service"
[Unit]
After=syslog.target network-online.target
ConditionPathIsDirectory=/etc/wireguard
[Service]
Type=forking
User=root
Group=root
PIDFile=/wgdashboard/src/gunicron.pid
WorkingDirectory=/wgdashboard/src
ExecStart=/usr/bin/env gunicorn --access-logfile /wgdashboard/src/log/access.log --error-logfile /wgdashboard/src/log/error.log 'dashboard:run_dashboard()' --pid /wgdashboard/src/gunicron.pid
PrivateTmp=true
Restart=no
[Install]
WantedBy=multi-user.target
EOF
cat << EOF | sudo tee "/wgdashboard/src/wg-dashboard.ini"
[Account]
username = admin
password = 8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
[Server]
wg_conf_path = /etc/wireguard
app_ip = 127.0.0.1
app_port = 10085
auth_req = true
version = v3.1
dashboard_refresh_interval = 60000
dashboard_sort = status
dashboard_theme = light
[Peers]
peer_global_dns = 1.1.1.1
peer_endpoint_allowed_ip = 0.0.0.0/0
peer_display_mode = grid
remote_endpoint = ${MAIN_IP}
peer_mtu = 1342
peer_keep_alive = 21
EOF
cat << EOF | sudo tee "/root/compose.yaml"
services:
nextcloud:
image: nextcloud/all-in-one:latest
restart: always
container_name: nextcloud-aio-mastercontainer
volumes:
- nextcloud_aio_mastercontainer:/mnt/docker-aio-config
- /var/run/docker.sock:/var/run/docker.sock:ro
ports:
- 8080:8080
environment:
- APACHE_PORT=11000
- APACHE_IP_BINDING=0.0.0.0
volumes:
nextcloud_aio_mastercontainer:
name: nextcloud_aio_mastercontainer
EOF
cat << EOF | sudo tee "/etc/caddy/Caddyfile"
{
# auto_https will create redirects for https://{host}:8443 instead of https://{host}
# https redirects are added manually in the http://:80 block
auto_https disable_redirects
https_port 10086
https_port 8443
https_port 443
http_port 80
log {
level ERROR
}
}
# Match only host names and not ip-addresses:
https://*.*:10086,
https://*.*.*:10086,
https://*.*.*.*:10086,
https://*.*.*.*.*:10086,
https://*.*.*.*.*.*:10086 {
reverse_proxy localhost:10085
tls {
on_demand
issuer acme {
disable_tlsalpn_challenge
}
}
}
https://{$IP}:10086 {
reverse_proxy localhost:10085
tls internal {
on_demand
}
}
https://*.*:8443,
https://*.*.*:8443,
https://*.*.*.*:8443,
https://*.*.*.*.*:8443,
https://*.*.*.*.*.*:8443 {
reverse_proxy localhost:8080 {
transport http {
tls_insecure_skip_verify
}
}
tls {
on_demand
issuer acme {
disable_tlsalpn_challenge
}
}
}
https://*.*:443,
https://*.*.*:443,
https://*.*.*.*:443,
https://*.*.*.*.*:443,
https://*.*.*.*.*.*:443 {
reverse_proxy localhost:11000
tls {
on_demand
issuer acme {
disable_tlsalpn_challenge
}
}
}
http://*.*:80,
http://*.*.*:80,
http://*.*.*.*:80,
http://*.*.*.*.*:80,
http://*.*.*.*.*.*:80 {
redir https://{host}{uri} permanent
}
EOF
systemctl daemon-reload
systemctl enable wg-dash --now
systemctl enable caddy
systemctl restart caddy
curl -fsSL get.docker.com | sudo sh
wget https://github.com/docker/compose/releases/download/v2.20.2/docker-compose-linux-x86_64 -O /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
docker-compose -f /root/compose.yaml up -d