diff --git a/src/zammad/install-service.sh b/src/zammad/install-service.sh index b6ea274..0d13605 100644 --- a/src/zammad/install-service.sh +++ b/src/zammad/install-service.sh @@ -1,21 +1,46 @@ #!/bin/bash - # Authors: # (C) 2021 Idea an concept by Christian Zengel # (C) 2021 Script design and prototype by Markus Helmke # (C) 2021 Script rework and documentation by Thorsten Spille - source /root/functions.sh source /root/zamba.conf source /root/constants-service.conf - +LXC_IP=$(hostname -I) apt-key adv --fetch https://dl.packager.io/srv/zammad/zammad/key apt-key adv --fetch https://artifacts.elastic.co/GPG-KEY-elasticsearch + +cat << EOF >>/etc/hosts +0.0.0.0 image.zammad.com +0.0.0.0 images.zammad.com +0.0.0.0 geo.zammad.com +0.0.0.0 www.zammad.com +0.0.0.0 www.zammad.org +0.0.0.0 www.zammad.net +0.0.0.0 www.zammad.de +0.0.0.0 zammad.com +0.0.0.0 zammad.org +0.0.0.0 zammad.net +0.0.0.0 zammad.de +# +127.0.0.1 elasticsearch +0.0.0.0 geoip.elastic.co +EOF + +# Java set startup environment +mkdir -p /etc/elasticsearch/jvm.options.d +cat << EOF >>/etc/elasticsearch/jvm.options.d/msmx-size.options +# INFO: https://www.elastic.co/guide/en/elasticsearch/reference/master/advanced-configuration.html#set-jvm-heap-size +# max 50% of total RAM - 2G Ram then set Xms and Xmx 1g +-Xms1g +-Xmx1g +EOF + wget -O /etc/apt/sources.list.d/zammad.list https://dl.packager.io/srv/zammad/zammad/stable/installer/debian/11.repo echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" > /etc/apt/sources.list.d/elastic-7.x.list apt update DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade -DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ssl-cert zammad +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install ssl-cert nginx-full postgresql # configurwe nginx rm -f /etc/nginx/sites-enabled/default @@ -24,70 +49,64 @@ cat << EOF > /etc/nginx/sites-available/zammad.conf upstream zammad-railsserver { server 127.0.0.1:3000; } - upstream zammad-websocket { server 127.0.0.1:6042; } - server { listen 80; listen [::]:80; server_name _; server_tokens off; - access_log /var/log/nginx/zammad.access.log; error_log /var/log/nginx/zammad.error.log; - location /.well-known/ { root /var/www/html; } - return 301 https://\$host\$request_uri; } server { listen 443 ssl http2; listen [::]:443 ssl http2; - server_name _; server_tokens off; ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; - ssl_protocols TLSv1.3 TLSv1.2; ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM; ssl_dhparam /etc/nginx/dhparam.pem; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 180m; - ssl_stapling on; ssl_stapling_verify on; - resolver 1.1.1.1 1.0.0.1; - - add_header Strict-Transport-Security "max-age=31536000" always; - +# +# https://webdock.io/en/docs/how-guides/security-guides/how-to-configure-security-headers-in-nginx-and-apache +# + add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; + add_header Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *"; + add_header Referrer-Policy "strict-origin"; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()"; + location = /robots.txt { access_log off; log_not_found off; } - + location = /favicon.ico { access_log off; log_not_found off; } - root /opt/zammad/public; - access_log /var/log/nginx/zammad.access.log; error_log /var/log/nginx/zammad.error.log; - client_max_body_size 50M; - location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico|apple-touch-icon.png) { expires max; } - location /ws { proxy_http_version 1.1; proxy_set_header Upgrade \$http_upgrade; @@ -98,19 +117,15 @@ server { proxy_read_timeout 86400; proxy_pass http://zammad-websocket; } - location / { proxy_set_header Host \$http_host; proxy_set_header CLIENT_IP \$remote_addr; proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto \$scheme; - # change this line in an SSO setup proxy_set_header X-Forwarded-User ""; - proxy_read_timeout 180; proxy_pass http://zammad-railsserver; - gzip on; gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml; gzip_proxied any; @@ -118,6 +133,25 @@ server { } EOF +echo -e "\n\n\n >>> Warte 5 sek. und installier Zammad ...\n\n\n" +sleep 5 +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq install zammad + +# SymLink nginx Zammad enable +ln -s /etc/nginx/sites-available/zammad.conf /etc/nginx/sites-enabled/ + openssl dhparam -out /etc/nginx/dhparam.pem 4096 -systemctl restart nginx \ No newline at end of file +systemctl restart nginx +systemctl enable elasticsearch.service +systemctl start elasticsearch.service + +# Elasticsearch conntact to Zammad +/usr/share/elasticsearch/bin/elasticsearch-plugin install -b ingest-attachment +zammad run rails r "Setting.set('es_url', 'http://localhost:9200')" +zammad run rails r "Setting.set('es_index', Socket.gethostname.downcase + '_zammad')" +zammad run rails r "User.find_by(email: 'nicole.braun@zammad.org').destroy" +systemctl restart elasticsearch.service +zammad run rake searchindex:rebuild + +echo -e "Your Zammad installation is now complete. Please continue with setup in your Browser:\nURL:\t\thttp://$(echo $LXC_IP | cut -d'/' -f1)\n"