#!/bin/bash # Copyright (C) 2015-2023 YunoHost # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as # published by the Free Software Foundation, either version 3 of the # License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU Affero General Public License for more details. # # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see . set -u # Globals readonly YUNOHOST_LOG="/var/log/yunohost-installation_$(date +%Y%m%d_%H%M%S).log" # Custom colors for whiptail export NEWT_COLORS=' root=white,black roottext=white,black window=white,black border=white,black title=white,black textbox=white,black button=black,white compactbutton=white,black ' ############################################################################### # Main functions # ############################################################################### function usage() { echo " Usage : `basename $0` [-a] [-d ] [-h] Options : -a Enable automatic mode. No questions are asked. This does not perform the post-install step. -d Choose the distribution to install ('stable', 'testing', 'unstable'). Defaults to 'stable' -f Ignore checks before starting the installation. Use only if you know what you are doing. -h Prints this help and exit " } function parse_options() { AUTOMODE=0 DISTRIB=stable BUILD_IMAGE=0 FORCE=0 while getopts ":aid:fh" option; do case $option in a) AUTOMODE=1 export DEBIAN_FRONTEND=noninteractive ;; d) DISTRIB=$OPTARG ;; f) FORCE=1 ;; i) # This hidden option will allow to build generic image for Rpi/Olimex BUILD_IMAGE=1 ;; h) usage exit 0 ;; :) usage exit 1 ;; \?) usage exit 1 ;; esac done } function main() { parse_options "$@" check_assertions step upgrade_system || die "Unable to update the system" step install_script_dependencies || die "Unable to install dependencies to install script" step create_custom_config || die "Creating custom configuration file /etc/yunohost/yunohost.conf failed" step confirm_installation || die "Installation cancelled at your request" step manage_sshd_config || die "Error caught during sshd management" step fix_locales # do not die for a failure here, it's minor step setup_package_source || die "Setting up deb package sources failed" step apt_update || die "Error caught during 'apt-get update'" step register_debconf || die "Unable to insert new values into debconf database" step workarounds_because_sysadmin_sucks || die "Unable to run stupid workarounds" step install_yunohost_packages || die "Installation of Yunohost packages failed" if [[ "$BUILD_IMAGE" == "0" ]] ; then step restart_services || die "Error caught during services restart" fi if is_raspbian ; then step del_user_pi || die "Unable to delete user pi" fi if [[ "$BUILD_IMAGE" == "1" ]] ; then step clean_image || die "Unable to clean image" fi if is_raspbian ; then # Reboot should be done before postinstall to be able to run iptables rules reboot fi info "Installation logs are available in $YUNOHOST_LOG" success "YunoHost installation completed !" conclusion exit 0 } ############################################################################### # Helpers # ############################################################################### readonly normal=$(printf '\033[0m') readonly bold=$(printf '\033[1m') readonly faint=$(printf '\033[2m') readonly underline=$(printf '\033[4m') readonly negative=$(printf '\033[7m') readonly red=$(printf '\033[31m') readonly green=$(printf '\033[32m') readonly orange=$(printf '\033[33m') readonly blue=$(printf '\033[34m') readonly yellow=$(printf '\033[93m') readonly white=$(printf '\033[39m') function success() { local msg=${1} echo "[${bold}${green} OK ${normal}] ${msg}" | tee -a $YUNOHOST_LOG } function info() { local msg=${1} echo "[${bold}${blue}INFO${normal}] ${msg}" | tee -a $YUNOHOST_LOG } function warn() { local msg=${1} echo "[${bold}${orange}WARN${normal}] ${msg}" | tee -a $YUNOHOST_LOG >&2 } function error() { local msg=${1} echo "[${bold}${red}FAIL${normal}] ${msg}" | tee -a $YUNOHOST_LOG >&2 } function die() { error "$1" info "Installation logs are available in $YUNOHOST_LOG" exit 1 } function step() { info "Running $1" $* local return_code="$?" return $return_code } function apt_get_wrapper() { if [[ "$AUTOMODE" == "0" ]] ; then debconf-apt-progress \ --logfile $YUNOHOST_LOG \ -- \ apt-get $* else # Why we need pipefail : https://stackoverflow.com/a/6872163 set -o pipefail apt-get $* 2>&1 | tee -a $YUNOHOST_LOG || return 1 set +o pipefail fi } function apt_update() { apt_get_wrapper update --allow-releaseinfo-change } ############################################################################### # Installation steps # ############################################################################### function check_assertions() { # Assert we're on Debian # Note : we do not rely on lsb_release to avoid installing a dependency # only to check this... [[ -f "/etc/debian_version" ]] || die "This script can only be ran on Debian 11 (Bullseye)." # Assert we're on Bullseye # Note : we do not rely on lsb_release to avoid installing a dependency # only to check this... # TODO: remove the line with "bullseye/sid" [[ "$(cat /etc/debian_version)" =~ ^11.* ]] \ || [[ "$(cat /etc/debian_version)" =~ "bullseye/sid" ]] \ || die "YunoHost is only available for the version 11 (Bullseye) of Debian, you are using '$(cat /etc/debian_version)'." # Forbid people from installing on Ubuntu or Linux mint ... if [[ -f "/etc/lsb-release" ]]; then if cat /etc/lsb-release | grep -q -i "Ubuntu\|Mint" then die "Please don't try to install YunoHost on an Ubuntu or Linux Mint system ... You need a 'raw' Debian 11 (Bullseye)." fi fi # Assert we're root [[ "$(id -u)" == "0" ]] || die "This script must be run as root. On most setups, the command 'sudo -i' can be run first to become root." # Check PATH var [[ "$PATH" == *"/sbin"* ]] || die "Your environment PATH variable must contains /sbin directory. Maybe try running 'PATH=/sbin:\$PATH' to fix this." # Assert systemd is installed command -v systemctl > /dev/null || die "YunoHost requires systemd to be installed." # Check that kernel is >= 3.12, otherwise systemd won't work properly. Cf. https://github.com/systemd/systemd/issues/5236#issuecomment-277779394 dpkg --compare-versions "$(uname -r)" "ge" "3.12" || die "YunoHost requires a kernel >= 3.12. Please consult your hardware documentation or VPS provider to learn how to upgrade your kernel." # If we're on Raspbian, we want the user 'pi' to be logged out because # it's going to be deleted for security reasons... if is_raspbian ; then user_pi_logged_out || die "The user pi should be logged out." fi # Check we aren't running in docker or other weird containers that we can't probably install on systemd-detect-virt | grep -v -q -w "docker\|container-other" || [[ "$FORCE" == "1" ]] \ || die "It seems like you are trying to install YunoHost in docker or a weird container technology which probably is not supported by this install script (or YunoHost as a whole). If you know what you are doing, you can run this script with -f." # Check possible conflict with apache, bind9. [[ -z "$(dpkg --get-selections | grep -v deinstall | grep 'bind9\s')" ]] || [[ "$FORCE" == "1" ]] \ || die "Bind9 is installed on your system. Yunohost conflicts with Bind9 because it requires dnsmasq. To be able to run this script, you should first run 'apt remove bind9 --purge --autoremove'." [[ -z "$(dpkg --get-selections | grep -v deinstall | grep 'apache2\s')" ]] || [[ "$FORCE" == "1" ]] \ || die "Apache is installed on your system. Yunohost conflicts with apache2 because it requires nginx. To be able to run this script, you should first run 'apt remove apache2 --purge --autoremove'." } function upgrade_system() { # Some VPS don't have debconf install, therefore don't have debconf-apt-progress... # c.f. https://github.com/YunoHost/issues/issues/1828 dpkg --list | grep -q '^ii debconf ' || { apt update --allow-releaseinfo-change; apt install debconf; } apt_get_wrapper update --allow-releaseinfo-change \ || return 1 # We need libtext-iconv-perl even before the dist-upgrade, # otherwise the dist-upgrade might fails on some setups because # perl is yolomacnuggets :| # Stuff like "Can't locate object method "new" via package "Text::Iconv"" apt_get_wrapper -o Dpkg::Options::="--force-confold" \ -y install \ libtext-iconv-perl \ || return 1 # Manually upgrade grub stuff in non-interactive mode, # otherwise a weird technical question is asked to the user # regarding how to upgrade grub's configuration... DEBIAN_FRONTEND=noninteractive \ apt_get_wrapper -o Dpkg::Options::="--force-confold" \ -y install --only-upgrade \ grub-common grub2-common \ || true apt_get_wrapper -o Dpkg::Options::="--force-confold" \ -y dist-upgrade \ || return 2 if is_raspbian ; then apt_get_wrapper -o Dpkg::Options::="--force-confold" \ -y install rpi-update \ || return 3 if [[ "$BUILD_IMAGE" != "1" ]] ; then (rpi-update 2>&1 | tee -a $YUNOHOST_LOG) \ || return 4 fi fi } function install_script_dependencies() { # dependencies of the install script itself local DEPENDENCIES="lsb-release whiptail gnupg apt-transport-https adduser" if [[ "$AUTOMODE" == "0" ]] ; then DEPENDENCIES+=" dialog" fi apt_update apt_get_wrapper -o Dpkg::Options::="--force-confold" \ -y install \ $DEPENDENCIES \ || return 1 } function create_custom_config() { # Create YunoHost configuration folder mkdir -p /etc/yunohost/ } function confirm_installation() { [[ "$AUTOMODE" == "1" ]] && return 0 local text=" Caution ! Your configuration files for : - postfix - dovecot - mysql - nginx - metronome will be overwritten ! Are you sure you want to proceed with the installation of Yunohost? " whiptail --title "Yunohost Installation" --yesno "$text" 20 78 } function manage_sshd_config() { # In auto mode we erase the current sshd config [[ "$AUTOMODE" == "1" ]] && return 0 [[ ! -f /etc/ssh/sshd_config ]] && return 0 local sshd_config_possible_issues="0" local text="To improve the security of your server, it is recommended to let YunoHost manage the SSH configuration. Your current SSH configuration differs from the recommended configuration. If you let YunoHost reconfigure it, the way you connect to your server through SSH will change in the following way:" # If root login is currently enabled if ! grep -E "^[[:blank:]]*PermitRootLogin[[:blank:]]+no" /etc/ssh/sshd_config ; then sshd_config_possible_issues="1" text="$text\n- you will not be able to connect as root through SSH. Instead you should use the admin user ; " fi # If current conf uses a custom ssh port if grep -Ev "^[[:blank:]]*Port[[:blank:]]+22[[:blank:]]*(#.*)?$" /etc/ssh/sshd_config | grep -E "^[[:blank:]]*Port[[:blank:]]+[[:digit:]]+$" ; then sshd_config_possible_issues="1" text="$text\n- you will have to connect using port 22 instead of your current custom SSH port. Feel free to reconfigure it after the postinstallation. " fi # If we are using DSA key for ssh server fingerprint if grep -E "^[[:blank:]]*HostKey[[:blank:]]+/etc/ssh/ssh_host_dsa_key" /etc/ssh/sshd_config ; then sshd_config_possible_issues="1" text="$text\n- the DSA key will be disabled. Hence, you might later need to invalidate a spooky warning from your SSH client, and recheck the fingerprint of your server ; " fi text="${text} Do you agree to let YunoHost apply those changes to your configuration and therefore affect the way you connect through SSH ? " # If no possible issue found, we just assume it's okay and will take over the SSH conf during postinstall [[ "$sshd_config_possible_issues" == "0" ]] && return 0 # Otherwise, we ask the user to confirm if ! whiptail --title "SSH Configuration" --yesno "$text" 20 78 --defaultno ; then # Keep a copy to be restored during the postinstall # so that the ssh confs behaves as manually modified. cp /etc/ssh/sshd_config /etc/ssh/sshd_config.before_yunohost fi return 0 } function setup_package_source() { local CUSTOMAPT=/etc/apt/sources.list.d/yunohost.list # Debian repository local CUSTOMDEB="deb [signed-by=/usr/share/keyrings/yunohost-archive-keyring.gpg] http://forge.yunohost.org/debian/ bullseye stable" if [[ "$DISTRIB" == "stable" ]] ; then echo "$CUSTOMDEB" > $CUSTOMAPT elif [[ "$DISTRIB" == "testing" ]] ; then echo "$CUSTOMDEB testing" > $CUSTOMAPT elif [[ "$DISTRIB" == "unstable" ]] ; then echo "$CUSTOMDEB testing unstable" > $CUSTOMAPT fi # Add YunoHost repository key to the keyring curl --fail --silent https://forge.yunohost.org/yunohost_bullseye.asc | gpg --dearmor > /usr/share/keyrings/yunohost-archive-keyring.gpg apt-get -qq update } function register_debconf() { debconf-set-selections << EOF slapd slapd/password1 password yunohost slapd slapd/password2 password yunohost slapd slapd/domain string yunohost.org slapd shared/organization string yunohost.org slapd slapd/allow_ldap_v2 boolean false slapd slapd/invalid_config boolean true slapd slapd/backend select MDB postfix postfix/main_mailer_type select Internet Site postfix postfix/mailname string /etc/mailname nslcd nslcd/ldap-bindpw password nslcd nslcd/ldap-starttls boolean false nslcd nslcd/ldap-reqcert select nslcd nslcd/ldap-uris string ldap://localhost/ nslcd nslcd/ldap-binddn string nslcd nslcd/ldap-base string dc=yunohost,dc=org libnss-ldapd libnss-ldapd/nsswitch multiselect group, passwd, shadow postsrsd postsrsd/domain string yunohost.org EOF } function workarounds_because_sysadmin_sucks() { # ######################## # # Workarounds for fail2ban # # ######################## # # We need to create auth.log in case it does not exists, because in some situation, # this file does not exists, fail2ban will miserably fail to start because # the default fail2ban jail include the sshd jail ... >.> touch /var/log/auth.log # ######################## # # Workarounds for avahi # # ######################## # # When attempting several installation of Yunohost on the same host # with a light VM system like LXC # we hit a bug with avahi-daemon postinstallation # This is described in detail in https://github.com/lxc/lxc/issues/25 # # It makes the configure step of avahi-daemon fail, because the service does # start correctly. Then all other packages depending on avahi-daemon refuse to # configure themselves. # # The workaround we use is to generate a random uid for the avahi user, and # create the user with this id beforehand, so that the avahi-daemon postinst # script does not do it on its own. Our randomized uid has far less chances to # be already in use in another system than the automated one (which tries to use # consecutive uids). # Return without error if avahi already exists if id avahi > /dev/null 2>&1 ; then info "User avahi already exists (with uid $(id avahi)), skipping avahi workaround" return 0 fi # Get a random unused uid between 500 and 999 (system-user) local avahi_id=$((500 + RANDOM % 500)) while cut -d ':' -f 3 /etc/passwd | grep -q $avahi_id ; do avahi_id=$((500 + RANDOM % 500)) done info "Workaround for avahi : creating avahi user with uid $avahi_id" # Use the same adduser parameter as in the avahi-daemon postinst script # Just specify --uid explicitely adduser --disabled-password --quiet --system \ --home /var/run/avahi-daemon --no-create-home \ --gecos "Avahi mDNS daemon" --group avahi \ --uid $avahi_id } function install_yunohost_packages() { # Allow sudo removal even if no root password has been set (on some DO # droplet or Vagrant virtual machines), as YunoHost use sudo-ldap export SUDO_FORCE_REMOVE=yes # On some machines (e.g. OVH VPS), the /etc/resolv.conf is immutable # We need to make it mutable for the resolvconf dependency to be installed chattr -i /etc/resolv.conf 2>/dev/null || true # Install those damn deps independently ... # otherwise they make the install crash for random reasons ~.~ # c.f. https://github.com/YunoHost/issues/issues/1382 apt_get_wrapper \ -o Dpkg::Options::="--force-confold" \ -y install \ debhelper dh-autoreconf \ || true # Explicitly install these so they get flagged as manually installed # At some point we may want to start trying to not install these by default # To have lighter systems # But that assumes that app explicitly declare their dependencies recommend_packages="php7.4-fpm mariadb-server metronome" # Install YunoHost apt_get_wrapper \ -o Dpkg::Options::="--force-confold" \ -o APT::install-recommends=true \ -y install \ yunohost yunohost-admin postfix \ $recommend_packages \ || return 1 } function restart_services() { service slapd restart # service yunohost-firewall start service unscd restart service nslcd restart # For some reason sometimes dbus is not properly started/enabled ... systemctl is-active dbus >/dev/null || systemctl enable dbus --now return 0 } function fix_locales() { # This function tries to fix the whole locale and perl mess about missing locale files # Install 'locales' if locale-gen does not exists yet command -v locale-gen > /dev/null || apt_get_wrapper -o Dpkg::Options::="--force-confold" -y install locales # Generate at least en_US.UTF-8 grep -q "^ *en_US.UTF-8" /etc/locale.gen || echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen # FIXME: here some day we should try to identify the user's lang from LANG or LC_ALL and generate the appropriate locale ... # (and set this lang as the default in /etc/env 3 lines below) locale-gen # If no /etc/environment exists, default to en_US.UTF-8 [ "$(grep LC_ALL /etc/environment)" ] || echo 'LC_ALL="en_US.UTF-8"' >> /etc/environment source /etc/environment export LC_ALL } function conclusion() { # Get first local IP and global IP local local_ip=$(hostname --all-ip-address | awk '{print $1}') local global_ip=$(curl https://ip.yunohost.org 2>/dev/null) # Will ignore local ip if it's already the global IP (e.g. for some VPS) [[ "$local_ip" != "$global_ip" ]] || local_ip="" # Formatting [[ -z "$local_ip" ]] || local_ip=$(echo -e "\n - https://$local_ip/ (local IP, if self-hosting at home)") [[ -z "$global_ip" ]] || global_ip=$(echo -e "\n - https://$global_ip/ (global IP, if you're on a VPS)") cat << EOF =============================================================================== You should now proceed with Yunohost post-installation. This is where you will be asked for : - the main domain of your server ; - the administration password. You can perform this step : - from the command line, by running 'yunohost tools postinstall' as root - or from your web browser, by accessing : ${local_ip}${global_ip} If this is your first time with YunoHost, it is strongly recommended to take time to read the administator documentation and in particular the sections 'Finalizing your setup' and 'Getting to know YunoHost'. It is available at the following URL : https://yunohost.org/admindoc =============================================================================== EOF } ############################################################################### # Raspbian specific stuff # ############################################################################### function is_raspbian() { # On Raspbian image lsb_release is available if [[ "$(lsb_release -i -s 2> /dev/null)" != "Raspbian" ]] ; then return 1 fi return 0 } function user_pi_logged_out() { who | grep -w pi > /dev/null && return 1 return 0 } function del_user_pi() { if id "pi" >/dev/null 2>&1; then deluser --remove-all-files pi >> $YUNOHOST_LOG 2>&1 fi } ############################################################################### # Image building specific stuff # ############################################################################### function clean_image() { # Delete SSH keys rm -f /etc/ssh/ssh_host_* >> $YUNOHOST_LOG 2>&1 yes | ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa >> $YUNOHOST_LOG 2>&1 yes | ssh-keygen -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa >> $YUNOHOST_LOG 2>&1 yes | ssh-keygen -f /etc/ssh/ssh_host_ecdsa_key -N '' -t ecdsa -b 521 >> $YUNOHOST_LOG 2>&1 # Deleting logs ... find /var/log -type f -exec rm {} \; >> $YUNOHOST_LOG 2>&1 # Purging apt ... apt-get clean >> $YUNOHOST_LOG 2>&1 } ############################################################################### main "$@"