diff --git a/conf/zamba.conf.example b/conf/zamba.conf.example index f6a0150..52d9329 100644 --- a/conf/zamba.conf.example +++ b/conf/zamba.conf.example @@ -147,3 +147,15 @@ CMK_ADMIN_PW='Start!123' # raw = completely free # free = limited version of the enterprise edition (25 hosts, 1 instance) CMK_EDITION=raw + +############### Kopano-Section ############### + +# Define the FQDN of your Nextcloud server +KOPANO_FQDN="kopano.zmb.rocks" + +# Defines the trusted reverse proxy, which will enable the detection of source ip to fail2ban +KOPANO_MAILGW="192.168.100.254" + +# Kopano test- or subscription-key offerd from +# https://kopano.com/downloads-demo/?demo=Kopano+Groupware&headline=Packages&target=Debian+10 +KOPANO_REPKEY="1234567890abcdefghijklmno" diff --git a/src/kopano-core/install-service.sh b/src/kopano-core/install-service.sh index 0c08266..53c375f 100644 --- a/src/kopano-core/install-service.sh +++ b/src/kopano-core/install-service.sh @@ -84,11 +84,190 @@ apt update && apt full-upgrade -y DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq --no-install-recommends kopano-server-packages kopano-webapp \ z-push-kopano z-push-config-nginx kopano-webapp-plugin-mdm kopano-webapp-plugin-files +#### Adjust kopano settings #### + +cat > /etc/kopano/ldap.cfg << EOF + +!include /usr/share/kopano/ldap.active-directory.cfg + +ldap_uri = ldap://10.10.81.12:389 +ldap_bind_user = cn=zmb-ldap,cn=Users,dc=zmb,dc=rocks +ldap_bind_passwd = Start123! +ldap_search_base = dc=zmb,dc=rocks + +#ldap_user_search_filter = (kopanoAccount=1) + +EOF + +cat > /etc/kopano/server.cfg << EOF + +server_listen = *:236 +local_admin_users = root kopano + +#database_engine = mysql +#mysql_host = localhost +#mysql_port = 3306 +mysql_user = $MARIA_DB_USER +mysql_password = $MARIA_USER_PWD +mysql_database = $MARIA_DB_NAME + +user_plugin = ldap +user_plugin_config = /etc/kopano/ldap.cfg + +EOF + +#### Adjust php settings #### + +sed -i "s/define('LANG', 'en_US.UTF-8')/define('LANG', 'de_DE.UTF-8')/" /etc/kopano/webapp/config.php + +cat > /etc/php/7.3/fpm/pool.d/webapp.conf << EOF + +[webapp] +listen = 127.0.0.1:9002 +user = www-data +group = www-data +listen.allowed_clients = 127.0.0.1 +pm = dynamic +pm.max_children = 150 +pm.start_servers = 35 +pm.min_spare_servers = 20 +pm.max_spare_servers = 50 +pm.max_requests = 200 +listen.backlog = -1 +request_terminate_timeout = 120s +rlimit_files = 131072 +rlimit_core = unlimited +catch_workers_output = yes + +EOF + +sed -i "s/define('LANG', 'en_US.UTF-8')/define('LANG', 'de_DE.UTF-8')/" /etc/kopano/webapp/config.php + #### Adjust nginx settings #### openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/private/kopano.key -out /etc/ssl/certs/kopano.crt -subj "/CN=$KOPANO_FQDN" -addext "subjectAltName=DNS:$KOPANO_FQDN" openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 4096 -mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak +#mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak + +cat > /etc/nginx/sites-available/webapp.conf << EOF +upstream php-handler { + server 127.0.0.1:9002; + #server unix:/var/run/php5-fpm.sock; + #server unix:/var/run/php/php7.3-fpm.sock; +} + +server{ + listen 80; + charset utf-8; + listen [::]:80; + server_name _; + + location / { + rewrite ^(.*) https://\$server_name\$1 permanent; + } + } + +server { + charset utf-8; + listen 443; + listen [::]:443 ssl; + server_name _; + ssl on; + client_max_body_size 1024m; + ssl_certificate /etc/ssl/certs/kopano.crt; + ssl_certificate_key /etc/ssl/private/kopano.key; + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 5m; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; + ssl_prefer_server_ciphers on; + # + # ssl_dhparam require you to create a dhparam.pem, this takes a long time + ssl_dhparam /etc/ssl/certs/dhparam.pem; + # + + # add headers + server_tokens off; + add_header X-Frame-Options SAMEORIGIN; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + + location /webapp { + alias /usr/share/kopano-webapp/; + index index.php; + + location ~ /webapp/presence/ { + rewrite ^/webapp/presence(/.*)$ \$1 break; + proxy_pass http://localhost:1234; + proxy_set_header Upgrade \$http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_http_version 1.1; + } + + } + + location ~* ^/webapp/(.+\.php)$ { + alias /usr/share/kopano-webapp/; + + # deny access to .htaccess files + location ~ /\.ht { + deny all; + } + + fastcgi_param PHP_VALUE " + register_globals=off + magic_quotes_gpc=off + magic_quotes_runtime=off + post_max_size=31M + upload_max_filesize=30M + "; + fastcgi_param PHP_VALUE "post_max_size=31M + upload_max_filesize=30M + max_execution_time=3660 + "; + + include fastcgi_params; + fastcgi_index index.php; + #fastcgi_param HTTPS on; + fastcgi_param SCRIPT_FILENAME \$document_root\$1; + fastcgi_pass php-handler; + access_log /var/log/nginx/kopano-webapp-access.log; + error_log /var/log/nginx/kopano-webapp-error.log; + + # CSS and Javascript + location ~* \.(?:css|js)$ { + expires 1y; + access_log off; + add_header Cache-Control "public"; + } + + # All (static) resources set to 2 months expiration time. + location ~* \.(?:jpg|gif|png)\$ { + expires 2M; + access_log off; + add_header Cache-Control "public"; + } + + # enable gzip compression + gzip on; + gzip_min_length 1100; + gzip_buffers 4 32k; + gzip_types text/plain application/x-javascript text/xml text/css application/json; + gzip_vary on; + } + +} + +map \$http_upgrade \$connection_upgrade { + default upgrade; + '' close; +} +EOF + +ln -s /etc/nginx/sites-available/webapp.conf /etc/nginx/sites-enabled/ + +systemctl restart nginx +