initial commit of file from CVS for smeserver-nextcloud on Sat Sep 7 20:46:17 AEST 2024

root/etc/e-smith/db/accounts/defaults/nextcloud/type

@@ -0,0 +1 @@
+url

root/etc/e-smith/db/configuration/defaults/nextcloud/AdminUser

@@ -0,0 +1 @@
+nextcloudadmin

root/etc/e-smith/db/configuration/defaults/nextcloud/DbName

@@ -0,0 +1 @@
+nextcloud

root/etc/e-smith/db/configuration/defaults/nextcloud/DbUser

@@ -0,0 +1 @@
+nextcloud

root/etc/e-smith/db/configuration/defaults/nextcloud/access

@@ -0,0 +1 @@
+private

root/etc/e-smith/db/configuration/defaults/nextcloud/status

@@ -0,0 +1 @@
+enabled

root/etc/e-smith/db/configuration/defaults/nextcloud/type

@@ -0,0 +1 @@
+configuration

root/etc/e-smith/db/configuration/migrate/nextcloud

@@ -0,0 +1,16 @@
+{
+
+my $nextcloud = $DB->get('nextcloud') ||  $DB->new_record('nextcloud', {type => 'service'});
+
+my $dbpass = $nextcloud->prop('DbPassword') ||
+        $nextcloud->set_prop('DbPassword', `/usr/bin/openssl rand -base64 40 | /usr/bin/tr -c -d '[:graph:]'`);
+my $dbAdminPass = $nextcloud->prop('AdminPassword') ||
+        $nextcloud->set_prop('AdminPassword', `/usr/bin/openssl rand -base64 40 | /usr/bin/tr -c -d '[:graph:]'`);
+
+if (my $CloudDomain = $DB->get_prop_and_delete('nextcloud', 'CloudDomain')) {
+        $nextcloud->merge_props('VirtualHost', $CloudDomain);
+    }
+        
+}
+
+

root/etc/e-smith/events/actions/nextcloud-conf

@@ -0,0 +1,95 @@
+#!/bin/bash
+
+# does /usr/share/nextcloud exists ? no: we create it from sources
+if [ ! -d /usr/share/nextcloud ]; then
+  cp -a /usr/share/nextcloud-src /usr/share/nextcloud
+fi
+
+# important configuration variables
+password=`/sbin/e-smith/db configuration getprop nextcloud DbPassword || echo "missing"`
+dbname=`/sbin/e-smith/db configuration getprop nextcloud DbName || echo "nextcloud"`
+dbuser=`/sbin/e-smith/db configuration getprop nextcloud DbUser || echo "nextcloud"`
+adminuser=`/sbin/e-smith/db configuration getprop nextcloud AdminUser || echo "admin"`
+adminpass=`/sbin/e-smith/db configuration getprop nextcloud AdminPassword ||/sbin/e-smith/db configuration getprop sysconfig SystemID  || echo "password;109"`
+
+host="localhost:/var/lib/mysql/mariadb105.sock"
+socket="--socket=/var/lib/mysql/mariadb105.sock"
+# need to check what db we are supposed to use. starting NC 21 mariadb >= 102 is needed  core is 55
+# are we fresh install or update ?
+installed=$(/usr/bin/occ status --output json |jq -r '.installed')
+# what version
+majversion=$(/usr/bin/occ status --output json |jq -r '.version'|cut -d'.' -f1)
+# is there a nextcloud db in core mariadb
+if [ "$installed" != "true" ]; then  host="localhost:/var/lib/mysql/mariadb105.sock"; socket="--socket=/var/lib/mysql/mariadb105.sock"; fi
+if [ "$installed" == "true" ]; then  host=$(occ config:system:get dbhost); socket="--socket=$(echo $host|awk -F'[:]' '{print $2}')" ; fi
+if [ "$socket" == "--socket=" ]; then  socket=""; fi
+
+# initialize grants mysql nextcloud database
+/usr/bin/mysql --defaults-file=/root/.my.cnf $socket -e "CREATE DATABASE IF NOT EXISTS $dbname;"
+/usr/bin/mysql --defaults-file=/root/.my.cnf $socket -e "grant all on $dbname.* to '$dbuser'@'localhost' identified by '$password';"
+/usr/bin/mysql --defaults-file=/root/.my.cnf $socket -e "FLUSH PRIVILEGES"
+
+res=`/usr/bin/mysql --defaults-file=/root/.my.cnf $socket -e "select count(*) from information_schema.tables where table_type = 'BASE TABLE' and table_schema = '$dbname'" | tail -n1`;
+
+if [[ $res == '0' ]]; then
+    /usr/bin/occ maintenance:install --database mysql --database-host $host  --database-name $dbname --database-user $dbuser --database-pass $password --admin-user $adminuser --admin-pass  $adminpass --data-dir /home/e-smith/files/nextcloud/data/
+
+    /usr/bin/occ app:enable user_ldap
+    # might create s01 or empty id depending on version
+    /usr/bin/occ ldap:create-empty-config 
+    # create config with id s01 if not already present
+    /usr/bin/occ ldap:show-config s01 1>/dev/null || /usr/bin/occ ldap:create-empty-config 
+    # delete config with empty id if exist
+    /usr/bin/occ ldap:delete-config '' 1>/dev/null 
+    mkdir -p /home/e-smith/files/nextcloud/skeleton/ibays
+fi
+
+mkdir -p /home/e-smith/files/nextcloud/skeleton/ibays
+/usr/bin/occ config:system:set  skeletondirectory --value="/home/e-smith/files/nextcloud/skeleton"
+#/usr/bin/occ config:system:set  templatedirectory --value=""
+
+# to satisfy code integrity check
+if [ -f /usr/share/nextcloud/.htaccess.rpmsave ]; then
+    rm -f /usr/share/nextcloud/.htaccess.rpmsave
+fi
+if [ -f /usr/share/nextcloud/.htaccess.rpmnew ]; then
+    rm -f /usr/share/nextcloud/.htaccess.rpmnew
+fi
+
+# upgrade and check integrity
+/usr/bin/occ upgrade
+/usr/bin/occ maintenance:mode --off
+/usr/bin/occ integrity:check-core
+## Catch 'Nextcloud is already latest version' message
+#if [ $? -eq 3 ]; then
+#    exit 0
+#fi
+
+# remove signup link
+/usr/bin/occ config:system:set --type=bool --value=false simpleSignUpLink.shown
+
+#set default loglevel SME 12412
+/usr/bin/occ config:system:set loglevel --value=3
+
+#Redis index File Cache
+/usr/bin/occ config:system:set  redis host --value="localhost"
+/usr/bin/occ config:system:set  redis port --value="6379"
+/usr/bin/occ config:system:set  redis timeout --value="0.0"
+/usr/bin/occ config:system:set  redis password --value=""
+/usr/bin/occ config:system:set  memcache.locking --value="\OC\Memcache\Redis"
+/usr/bin/occ config:system:set --type=bool --value=true filelocking.enabled
+
+# cron maintenance windows
+/usr/bin/occ config:system:set maintenance_window_start --type=integer --value=1
+
+#samba needed folder to put gencache.tdb
+if [ ! -d /var/www/.cache/samba ]; then
+  mkdir -p /var/www/.cache/samba
+  chown www:shared /var/www/.cache/samba
+fi
+if [ ! -d /home/e-smith/.cache/samba ]; then
+  mkdir -p /home/e-smith/.cache/samba
+  chown www:admin /home/e-smith/.cache/samba
+fi
+
+

root/etc/e-smith/events/actions/nextcloud-del-user

@@ -0,0 +1,97 @@
+#!/usr/bin/perl -w
+
+#----------------------------------------------------------------------
+# copyright (C) 2018 Koozali SME Server Foundation
+# 
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#               
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#               
+#----------------------------------------------------------------------
+
+
+package esmith;
+
+use strict;
+use Errno;
+use esmith::ConfigDB;
+use JSON;
+
+my $conf = esmith::ConfigDB->open_ro
+    or die "Could not open Config DB";
+
+
+sub OCCr
+{
+    my $params = join(" ", @_);
+    my $json =`TERM=dumb /usr/bin/occ $params` ;
+    return $json;
+}
+
+sub listLocalMounts
+{
+  my %localmounts;
+  my $json = JSON->new->allow_nonref->convert_blessed->escape_slash;
+  my $result = $json->decode(OCCr " files_external:list --output json");
+
+ for my $report ( @{$result} ) {
+        next unless ( $report->{'storage'} =~ m/Local$/ || $report->{'storage'} =~ m/SMB$/ ) ;
+        $localmounts{$report->{'mount_id'}}{'mount_point'}=$report->{mount_point};
+        $localmounts{$report->{'mount_id'}}{'datadir'}=$report->{'configuration'}->{'datadir'};
+        $localmounts{$report->{'mount_id'}}{'applicable_groups'}=$report->{'applicable_groups'};
+        $localmounts{$report->{'mount_id'}}{'applicable_users'}=$report->{'applicable_users'};
+        $localmounts{$report->{'mount_id'}}{'storage'}= ( $report->{'storage'} =~ m/Local$/ ) ? "local" : "smb";
+        # for SMB
+        $localmounts{$report->{'mount_id'}}{'share'} = $report->{'configuration'}->{'share'};
+        $localmounts{$report->{'mount_id'}}{'host'} = $report->{'configuration'}->{'host'};
+ }
+ return %localmounts;
+}
+
+sub listUsers
+{
+  my %NCusers;
+  my $json = JSON->new->allow_nonref->convert_blessed->escape_slash;
+  my $result = $json->decode(OCCr " user:list --output json");
+  for my $key (keys  %$result){
+        my $name = $result->{$key};
+        next unless $name =~ m/\((.*)\)$/;
+        my $uid = $1 if $name =~ /\((.*)\)$/;
+        $NCusers{$uid}=$key;
+  } 
+  return %NCusers;
+}
+
+my $event = $ARGV [0];
+my $userName = $ARGV [1];
+my %NCusers= listUsers;
+my %localmounts = listLocalMounts;
+my $x = 0; # exit value
+
+#------------------------------------------------------------
+# Delete the Nextcloud account.
+#------------------------------------------------------------
+
+die "Username argument missing." unless defined ($userName);
+
+my $id = $NCusers{$userName} || "";
+
+# delete user home access
+my @matching_keys = grep { defined $localmounts{$_}{'host'} && $localmounts{$_}{'host'} =~ m/localhost$/  && $localmounts{$_}{'share'} =~ m/$userName$/} keys %localmounts;
+while (my $bad = pop @matching_keys) {
+  system("TERM=dumb /usr/bin/occ files_external:delete -y $bad ") == 0
+    or ( $x = 255 ,  warn "Failed to delete (nextcloud) account $userName : $id .\n" );
+
+}
+
+# delete user
+system("TERM=dumb /usr/bin/occ user:delete -y $id ") == 0
+ or ( $x = 255 ,  warn "Failed to delete (nextcloud) account $userName : $id .\n" ) if ($id ne "");
+
+exit($x);

root/etc/e-smith/events/actions/nextcloud-occ-conf

@@ -0,0 +1,332 @@
+#!/usr/bin/perl
+
+use strict;
+use esmith::ConfigDB;
+use esmith::util;
+use esmith::AccountsDB;
+use JSON;
+use Array::Compare;
+
+sub OCC
+{
+    my $params = join(" ", @_);
+    system("TERM=dumb /usr/bin/occ $params 2>/dev/null");
+}
+
+sub OCCr
+{
+    my $params = join(" ", @_);
+    my $json =`TERM=dumb /usr/bin/occ $params` ;
+    $json =~ s/\s+$//;
+    return $json;
+}
+
+sub listLocalMounts
+{
+  my %localmounts;
+  my $json = JSON->new->allow_nonref->convert_blessed->escape_slash;
+  my $result = $json->decode(OCCr " files_external:list --output json");
+
+ for my $report ( @{$result} ) {
+        next unless ( $report->{'storage'} =~ m/Local$/ || $report->{'storage'} =~ m/SMB$/ ) ;
+        $localmounts{$report->{'mount_id'}}{'mount_point'}=$report->{mount_point};
+        $localmounts{$report->{'mount_id'}}{'datadir'}=$report->{'configuration'}->{'datadir'};
+        $localmounts{$report->{'mount_id'}}{'applicable_groups'}=$report->{'applicable_groups'};
+        $localmounts{$report->{'mount_id'}}{'applicable_users'}=$report->{'applicable_users'};
+        $localmounts{$report->{'mount_id'}}{'storage'}= ( $report->{'storage'} =~ m/Local$/ ) ? "local" : "smb";
+        # for SMB
+        $localmounts{$report->{'mount_id'}}{'share'} = $report->{'configuration'}->{'share'};
+        $localmounts{$report->{'mount_id'}}{'host'} = $report->{'configuration'}->{'host'};
+ }
+ return %localmounts;
+}
+
+sub listUsers
+{
+  my %NCusers;
+  my $json = JSON->new->allow_nonref->convert_blessed->escape_slash;
+  my $result = $json->decode(OCCr " user:list --output json");
+  for my $key (keys  %$result){
+        my $name = $result->{$key};
+        next unless $name =~ m/\((.*)\)$/;
+        my $uid = $1 if $name =~ /\((.*)\)$/;
+        $NCusers{$uid}=$key;
+  }
+  return %NCusers;
+}
+
+sub listGroups
+{
+  my %NCgroups;
+  my $json = JSON->new->allow_nonref->convert_blessed->escape_slash;
+  my $result = $json->decode(OCCr " group:list -i --output json");
+  for my $key (keys  %$result){
+        my $type = $result->{$key}{'backends'}[0];
+        next unless $type eq "LDAP";
+	my $subresult = $json->decode(OCCr " group:info $key --output json");
+	my $name = $subresult->{'displayName'};# not editable for this backend!
+	$NCgroups{$name}=$key;
+ }
+ return %NCgroups;
+}
+
+my $cdb = esmith::ConfigDB->open_ro();
+my $adb = esmith::AccountsDB->open_ro();
+my @ibays = $adb->ibays();
+my @users = $adb->users();
+push @users,$adb->get('admin');
+my @shares = $adb->get_all_by_prop(type => 'share' );
+my %localmounts;
+my @idOK;
+my $nextcloud = $cdb->get('nextcloud') or exit;
+my $status = $nextcloud->prop('status') || 'disabled';
+exit if $status eq "disabled";
+my $doshare = $nextcloud->prop('Shares') || 'enabled';
+push @ibays,@shares unless $doshare eq "disabled";
+my $includeI = $nextcloud->prop('IncludeIbay') || "";
+my $excludeI = $nextcloud->prop('ExcludeIbay') || "Primary";
+my @incI = split ',' , $includeI ;
+my @excI =split ',' , $excludeI;
+my $smb = $cdb->get('smb');
+$status = $smb->prop('status') || 'disabled';
+$status = $nextcloud->prop('UseSMB') || $status;
+my %NCusers;
+my %NCgroups;
+my $storage = ( $status eq "enabled" ) ? 'smb' : 'local' ;
+my $domain = $cdb->get_value('DomainName');
+my $host = $cdb->get_value('SystemName');
+my $fqdn = join('.', $host , $domain);
+my $baseDN = esmith::util::ldapBase($cdb->get_value('DomainName'));
+my $local = $cdb->get_value('LocalIP');
+my $remote = $cdb->get_value('ExternalIP') || ""; 
+my $comp1 = Array::Compare->new; 
+my $workgroup = $cdb->get_prop('smb','Workgroup');
+
+# update trusted domains
+OCC "config:system:set trusted_domains 0 --value=$fqdn";
+OCC "config:system:set trusted_domains 1 --value=$host";
+OCC "config:system:set trusted_domains 2 --value=$domain";
+OCC "config:system:set trusted_domains 3 --value=localhost";
+my $i = 4;
+OCC "config:system:set trusted_domains $i --value=$local" ; $i++;
+
+if ($cdb->get_value('SystemMode') eq "servergateway") {
+OCC "config:system:set trusted_domains $i --value=$remote" ;  $i++;};
+
+# Add extra trusted domains
+my $trusted_domains  = $cdb->get_prop('nextcloud','TrustedDomains') || '';
+foreach (split(',', $trusted_domains)) {
+    OCC "config:system:set trusted_domains $i --value=".$_;
+    $i++;
+}
+
+my $VirtualHost = $cdb->get_prop('nextcloud','VirtualHost') || '';
+OCC "config:system:set trusted_domains 99 --value=$VirtualHost" unless $VirtualHost eq "";
+
+#set local domain to send emails
+if ( ($nextcloud->prop('cliurl') ||'enabled') eq 'enabled') {
+    my $url= ($VirtualHost eq "")? "$domain/nextcloud" : $VirtualHost;
+    OCC "config:system:set overwrite.cli.url --value 'https://$url'"
+}
+
+# enable files_external and allow auto refresh
+OCC "app:enable files_external";
+OCC "config:system:set filesystem_check_changes --value=1";
+
+# set memcache
+OCC "config:system:set memcache.local --value='\\OC\\Memcache\\APCu'";
+
+# Update user authentication
+
+#my $sssd = new NethServer::SSSD();
+#my $quotedBindPass = $sssd->bindPassword();
+#$quotedBindPass =~ s/\'/\\'/g;
+#$quotedBindPass =~ s/\$/\\\$/g;
+    OCC "ldap:set-config s01 ldapHost 'localhost'";
+    OCC "ldap:set-config s01 ldapPort 389";
+#    OCC "ldap:set-config s01 ldapAgentName '" . $sssd->bindDN() . "'";
+#    OCC "ldap:set-config s01 ldapAgentPassword '$quotedBindPass'";
+    OCC "ldap:set-config s01 ldapBase ".$baseDN;
+    OCC "ldap:set-config s01 ldapBaseGroups ou=Groups,$baseDN";
+    OCC "ldap:set-config s01 ldapBaseUsers ou=Users,$baseDN";
+
+    OCC "ldap:set-config s01 ldapGroupDisplayName cn";
+    OCC "ldap:set-config s01 ldapGroupFilter '(&(|(objectclass=posixGroup)))'";
+    OCC "ldap:set-config s01 ldapGroupFilterObjectclass posixGroup";
+    OCC "ldap:set-config s01 ldapGroupMemberAssocAttr memberUid";
+    OCC "ldap:set-config s01 ldapLoginFilter '(&(|(objectclass=inetOrgPerson))(|(uid=%uid)(|(mail=%uid))))'";
+    OCC "ldap:set-config s01 ldapLoginFilterEmail 1";
+    OCC "ldap:set-config s01 ldapLoginFilterMode 0";
+    OCC "ldap:set-config s01 ldapLoginFilterUsername 1";
+    OCC "ldap:set-config s01 ldapUserDisplayName cn";
+    OCC "ldap:set-config s01 ldapUserDisplayName2 uid";
+    OCC "ldap:set-config s01 ldapUserFilter '(|(objectclass=inetOrgPerson))'";
+    OCC "ldap:set-config s01 ldapUserFilterObjectclass inetOrgPerson";
+    OCC "ldap:set-config s01 ldapEmailAttribute mail";
+    OCC "ldap:set-config s01 useMemberOfToDetectMembership 0";
+    OCC "ldap:set-config s01 ldapConfigurationActive 1";
+    OCC "ldap:set-config s01 turnOffCertCheck 1";
+    # changes to use username in place of ldap uuid as id
+    OCC "ldap:set-config s01 ldapExpertUUIDGroupAttr cn";
+    OCC "ldap:set-config s01 ldapExpertUUIDUserAttr uid";
+    OCC "ldap:set-config s01 ldapExpertUsernameAttr uid";
+    # test new config to make it available, and sync user/groups
+    OCC "ldap:test-config s01";
+    %NCusers= listUsers;
+    %NCgroups= listGroups;
+    #my $totrash = OCCr "group:list";
+
+# set ibays shares 
+foreach ( @ibays) {
+  my $group = $_->prop('Group') ||'';
+  my $key =  $_->key;
+  #print "Configuring file repo :  $key\n";
+  my $id = "";
+  my $typ = $_->prop('type');
+  my @wgroups = split(',', $_->prop('WriteGroups')||'');
+  my @rgroups = split(',', $_->prop('ReadGroups')||'');
+  my @groups ;
+  push @groups, @rgroups,@wgroups, split(',',$group); 
+  my @rusers = split(',', $_->prop('ReadUsers')||'');
+  my @wusers = split(',', $_->prop('WriteUsers')||'');
+  my @Users;
+  push @Users,@wusers,@rusers;
+  my @uUsers ;
+  for (@Users)  { push  @uUsers, $NCusers{$_}; } ;
+  # next if includeI not empty and if not in includeI
+  next  unless (scalar(@incI) == 0 || grep(/^$key$/i, @incI) );
+  # next if in excludeI
+  next  if (grep(/^$key$/i, @excI) );
+
+  # get existing mount
+  %localmounts = listLocalMounts; 
+  # search for our current one
+  my @matching_keys = grep { $localmounts{$_}{'mount_point'} =~ m/ibays\/$key$/ &&  $localmounts{$_}{'storage'} eq $storage } keys %localmounts;
+
+  if (scalar(@matching_keys) == 0) {
+   print "Configuring file repo :  $key\n";
+   #if none create
+   if ($storage eq "smb") {
+     $id = OCCr "files_external:create -c share=$key -c host=localhost  -c domain=$workgroup -c root='' -c show_hidden=false -c check_acl=false -c timeout='' 'ibays/$key' smb password::logincredentials --output json";
+   } else {
+     $id = OCCr "files_external:create -c datadir=/home/e-smith/files/$typ/$key 'ibays/$key'  local null::null  --output json";
+   }
+   for $group (@groups) {
+	$group = $NCgroups{$group} || next;
+	print "  adding group $group to file repo $id\n"; 
+   	OCC "files_external:applicable --add-group $group $id --output json";
+   }
+   for my $u (@uUsers) {
+	print "  adding user $u to file repo $id\n";
+        OCC "files_external:applicable --add-user $u $id  --output json" ;
+   }
+   push @idOK,$id;
+   print "created $typ $key : $id\n";
+   next;
+  }
+  if (scalar(@matching_keys) > 1) {
+    #if more than 1 delete all but older
+    print "more than one $key, deleting the latest, keeping first\n";
+    while (scalar(@matching_keys) > 1){
+    my $bad = pop @matching_keys;
+    OCC "files_external:delete $bad -y";
+   }
+  }
+
+  #if one: update if necessary
+  $id = pop @matching_keys;
+  my @a = sort(@{$localmounts{$id}{'applicable_groups'}} );
+  my @b = sort(@groups);
+  my @ua = sort(@{$localmounts{$id}{'applicable_users'}} );
+  my @ub = sort(@uUsers);
+  if ( ! $comp1->compare(\@ua, \@ub)  || ! $comp1->compare(\@a, \@b) ) {
+    print "updating $key\n";
+    OCC "files_external:applicable --remove-all $id --output json";
+    for $group (@groups) {
+	$group = $NCgroups{$group} || next;
+    	OCC "files_external:applicable --add-group $group $id --output json" ;
+    }
+    for my $u (@uUsers) {
+        OCC "files_external:applicable --add-user $u $id --output json" ;
+    }
+
+  }
+  push @idOK,$id;
+}
+
+
+#remove ibays that exist not anymore
+%localmounts = listLocalMounts;
+my %params = map { $_ => 1 } @idOK;
+for my $key (keys  %localmounts){
+  ## TODO : adapt if SMB and if changing from one to the other.
+  if( $localmounts{$key}{'mount_point'} =~ m/ibays\/.*$/  && ! exists($params{$key})) {
+    my $mount= $localmounts{$key}{'mount_point'};
+    print "delete $key : $mount\n";
+    OCC "files_external:delete -y $key ";
+  }
+}
+
+
+# now we could mount home folder for each user using samba
+foreach (@users) {
+  my $key =  $_->key;
+  my $id = "";
+  my $user = $NCusers{$key};
+  print "Configuring user $user ($key)\n";
+  # in case user not already know by NC, skip
+  # normally not necessary, thanks to LDAP!!
+  next if ($user eq "");
+  # let's create the root "ibays" folder to mount every ibays in nextcloud user space
+  my ($login,$pass,$uid,$gid) = getpwnam("www");
+  my $idir = "/home/e-smith/files/nextcloud/data/$user";
+  unless ( !-d $idir || !-d "$idir/files" || -d "$idir/files/ibays")
+  {  
+        mkdir "$idir/files/ibays", 0770;
+        print "  created $idir/files/ibays\n";
+  }
+  # we do this on every turn in case it was wrong
+  chown $uid, $gid,"$idir/files/ibays";
+  chmod 0770, "$idir/files/ibays"; 
+  # we proceed next only if we want the user homes
+  next unless ($status eq "enabled");
+  # get existing mount
+  %localmounts = listLocalMounts;
+  # search for our current one
+  my @matching_keys = grep { $localmounts{$_}{'host'} =~ m/localhost$/  && $localmounts{$_}{'share'} =~ m/^$key$/} keys %localmounts;
+
+  # if none create
+  if (scalar(@matching_keys) == 0) {
+   #if none create
+   $id = OCCr "files_external:create -c share=$key -c host=localhost -c domain=$workgroup -c root='' -c show_hidden=false -c check_acl=false -c timeout='' '$key' smb password::logincredentials --output json";
+   OCC "files_external:applicable --add-user $user $id";
+   push @idOK,$id;
+   print "  created home dir for $key $user\n";
+   next;
+  }
+
+  if (scalar(@matching_keys) > 1) {
+   #if more than 1 delete all but older
+   print "  more than one $key, deleting the latest, keeping first\n";
+   while (scalar(@matching_keys) > 1){
+    my $bad = pop @matching_keys;
+    OCC "files_external:delete -y $bad ";
+   }
+  }
+  $id = pop @matching_keys;
+  if (scalar(@{$localmounts{$id}{'applicable_groups'}}) >0 || scalar(@{$localmounts{$id}{'applicable_users'}}) >1 || scalar(@{$localmounts{$id}{'applicable_users'}}) == 0 || $localmounts{$id}{'applicable_users'}[0] ne $user) {
+    print "  updating $key\n";
+    OCC "files_external:applicable --remove-all $id";
+    OCC "files_external:applicable --add-user $user $id" ;
+  }
+  push @idOK,$id;
+
+}
+
+# set cron
+OCC "background:cron";
+ 
+# and finally let's set SME admin as admin, shall we ?
+my $admin = $NCusers{'admin'};
+OCC "group:adduser admin $admin";
+

root/etc/e-smith/templates/etc/crontab/98nextcloud

@@ -0,0 +1,14 @@
+# nextcloud cron
+*/5  *  *  *  * www {
+ $OUT="/usr/bin/php81";
+ $version="26";
+ $search=qr/\s*'version'\s*=>\s*'([0-9]{2})\.[0-9]{1,2}.*/;
+ if ( open NC, "</usr/share/nextcloud/config/config.php") {
+  map {$version = $1 if /$search/ } <NC>;
+  close NC;
+ }
+ $OUT="/usr/bin/php74" if $version <= 24;
+} --define apc.enable_cli=1 --define memory_limit={ $memory=$nextcloud{'memory_limit'}||'1024M';} -f /usr/share/nextcloud/cron.php > /dev/null 2>&1
+
+# nextcloud db update
+19    2  *  *  * root /usr/bin/nc_dbupdate > /dev/null 2>&1

root/etc/e-smith/templates/etc/fail2ban/jail.conf/30Service55nextcloud

@@ -0,0 +1,9 @@
+[nextcloud]
+enabled  = true
+filter  = nextcloud
+action   = smeserver-iptables[port="$port",protocol=tcp,bantime=$bantime]
+logpath  = /home/e-smith/files/nextcloud/data/nextcloud.log
+maxretry = 3
+port = 80,443
+protocol = tcp
+

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/98nextcloud

@@ -0,0 +1,104 @@
+{
+my $access = $nextcloud{'access'} || 'private';
+my $allow = ($access eq 'public')?'all granted':"ip $localAccess $externalSSLAccess";
+my $authtype = $nextcloud{'Authentication'} || 'none';
+
+my $alias = (($nextcloud{'AliasOnPrimary'} || 'enabled') eq 'enabled') ?
+    'Alias /nextcloud /usr/share/nextcloud' : '';
+
+my $maxupload = $nextcloud{'MaxUploadSize'} || '1024';
+my $maxpost = $maxupload+1;
+$maxupload .= 'M';
+$maxpost .= 'M';
+
+my $auth = '';
+if ($authtype eq 'http'){
+    $auth =<<'EOF';
+    <FilesMatch "^(admin|rest)\.php">
+        SSLRequireSSL on
+        AuthName "nextcloud"
+        AuthType Basic
+        AuthBasicProvider external
+        AuthExternal pwauth
+        Require valid-user
+    </FilesMatch>
+EOF
+}
+
+if ($nextcloud{'status'} eq 'enabled'){
+
+if ((exists $php{status} and $php{status} eq "enabled") and $phpModule eq "enabled")
+  {
+  my $php =<<_EOF;
+    AddType application/x-httpd-php .php
+    php_admin_flag file_upload On
+    php_admin_flag magic_quotes Off
+    php_admin_flag magic_quotes_gpc Off
+    php_admin_value upload_max_filesize $maxupload
+    php_admin_value post_max_size $maxpost
+    php_admin_value memory_limit 512M
+    php_admin_flag output_buffering Off
+    php_admin_value max_execution_time 0
+    php_admin_value upload_tmp_dir /var/lib/nextcloud/tmp
+    php_admin_value session.save_path /var/lib/nextcloud/tmp
+    php_admin_value session.gc_maxlifetime 86400
+    php_admin_value open_basedir /usr/share/nextcloud:/var/lib/nextcloud:/var/log/nextcloud.log:/var/lib/php/nextcloud:/home/e-smith/files/nextcloud:/dev/urandom:/proc/meminfo
+_EOF
+}
+  if ($fastcgi_mod eq 'mod_proxy_fcgi'){
+    my $phpversion="81";
+    my $version="26";
+    my $search=qr/\s*'version'\s*=>\s*'([0-9]{2})\.[0-9]{1,2}.*/;
+    if ( open NC, "</usr/share/nextcloud/config/config.php") {
+       map {$version = $1 if /$search/ } <NC>;
+       close NC;
+    }
+    $phpversion="74" if $version <= 24;
+
+    $php =<<"_EOF";
+     <FilesMatch \\.php\$>
+         SetHandler "proxy:unix:/var/run/php-fpm/php${phpversion}-nextcloud.sock|fcgi://localhost"
+     </FilesMatch>
+_EOF
+  }
+
+my $config =<<_EOF;
+  <Directory "/usr/share/nextcloud">
+    Options +FollowSymLinks
+    AllowOverride All
+$php
+    Require $allow
+$auth
+
+    <IfModule mod_dav.c>
+      Dav off
+    </IfModule>
+
+    SetEnv HOME /usr/share/nextcloud
+    SetEnv HTTP_HOME /usr/share/nextcloud
+    SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=\$1
+  </Directory>
+
+  <Directory "/home/e-smith/files/nextcloud/data/">
+    # just in case if .htaccess gets disabled
+    Require all denied
+  </Directory>
+_EOF
+
+
+$OUT .=<<"END"
+# nextcloud Configuration
+<IfModule mod_headers.c>
+  Header always set Strict-Transport-Security "max-age=15552000"
+</IfModule>
+$alias
+
+$config
+
+END
+}
+else{
+    $OUT .= "# nextcloud is disabled\n";
+}
+}
+

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/28nextcloud

@@ -0,0 +1,41 @@
+#
+# 28nextcloud
+#
+
+{
+   my $CloudDomain = $nextcloud{'VirtualHost'} || 'none';#using CloudDomain, not to confuse for the template virtualHost variable
+   $OUT = '';
+    if ((${'nextcloud'}{'status'} || 'disabled') eq 'enabled' ){
+            
+        if (($port eq "80") && ($haveSSL eq 'yes')){
+            $OUT .= "    RewriteRule ^/nextcloud(/.*|\$)    https://%{HTTP_HOST}/nextcloud\$1 [L,R=301]\n";
+        }
+	elsif ( $CloudDomain eq "none" or $CloudDomain ne $virtualHost )
+	{
+	   $OUT .= " 
+  RewriteEngine on
+  RewriteRule ^/\\.well-known/host-meta /nextcloud/public.php?service=host-meta [QSA,L]
+  RewriteRule ^/\\.well-known/host-meta\.json /nextcloud/public.php?service=host-meta-json [QSA,L]
+  #RewriteRule ^/\\.well-known/webfinger /nextcloud/public.php?service=webfinger [QSA,L]
+  RewriteRule ^/\\.well-known/webfinger /nextcloud/index.php/.well-known/webfinger [R=301,L]
+  RewriteRule ^/\\.well-known/nodeinfo /nextcloud/index.php/.well-known/nodeinfo [R=301,L]
+  RewriteRule ^/\\.well-known/carddav /nextcloud/remote.php/dav [R=301,L]
+  RewriteRule ^/\\.well-known/caldav /nextcloud/remote.php/dav [R=301,L]
+  RewriteRule ^/remote.php/dav /nextcloud/remote.php/dav [R=301,L]\n";
+	}
+        elsif ( $CloudDomain eq $virtualHost )
+        {
+           $OUT .= " 
+  RewriteEngine on
+  RewriteRule ^/\\.well-known/host-meta /public.php?service=host-meta [QSA,L]
+  RewriteRule ^/\\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L]
+  #RewriteRule ^/\\.well-known/webfinger /public.php?service=webfinger [QSA,L]
+  RewriteRule ^/\\.well-known/webfinger /index.php/.well-known/webfinger [R=301,L]
+  RewriteRule ^/\\.well-known/nodeinfo /index.php/.well-known/nodeinfo [R=301,L]
+  RewriteRule ^/\\.well-known/carddav /remote.php/dav [R=301,L]
+  RewriteRule ^/\\.well-known/caldav /remote.php/dav [R=301,L]\n";
+        }
+
+    }
+}
+

root/etc/e-smith/templates/etc/opt/remi/php74/php.d/20-opcache.ini/10base

@@ -0,0 +1,9 @@
+opcache.enable=1
+opcache.file_cache= /var/opt/remi/php74/lib/php/opcache
+opcache.enable_cli= 1
++opcache.interned_strings_buffer= {$nextcloud{'opcache.interned_strings_buffer'} || 64;}
++opcache.max_accelerated_files= {$nextcloud{'opcache.max_accelerated_files'} || 65406;}
++opcache.memory_consumption= {$nextcloud{'opcache.memory_consumption'} || 512;}
+opcache.save_comments= 1
+opcache.revalidate_freq= 1
+

root/etc/e-smith/templates/etc/opt/remi/php81/php.d/20-opcache.ini/10base

@@ -0,0 +1,9 @@
+opcache.enable=1
+opcache.file_cache= /var/opt/remi/php81/lib/php/opcache
+opcache.enable_cli= 1
+opcache.interned_strings_buffer= {$nextcloud{'opcache.interned_strings_buffer'} || 64;}
+opcache.max_accelerated_files= {$nextcloud{'opcache.max_accelerated_files'} || 65406;}
+opcache.memory_consumption= {$nextcloud{'opcache.memory_consumption'} || 512;}
+opcache.save_comments= 1
+opcache.revalidate_freq= 1
+

root/etc/e-smith/templates/etc/php-fpm.d/www.conf/15Nextcloud

@@ -0,0 +1,89 @@
+{
+ my $phpversion="81";
+ my $version="26";
+ my $search=qr/\s*'version'\s*=>\s*'([0-9]{2})\.[0-9]{1,2}.*/;
+ if ( open NC, "</usr/share/nextcloud/config/config.php") {
+  map {$version = $1 if /$search/ } <NC>;
+  close NC;
+ }
+ $phpversion="74" if $version <= 24;
+
+if ($PHP_VERSION eq $phpversion){
+  if (($nextcloud{'status'} || 'disabled') eq 'enabled'){
+    my $max_upload_size = ($nextcloud{MaxUploadSize} || '4096');
+    $max_upload_size .= 'M' if ($max_upload_size =~ m/^\d+$/);
+    my $memory_limit = ($nextcloud{MemoryLimit} || '512M');
+    $memory_limit .= 'M' if ($memory_limit =~ m/^\d+$/);
+    my $open_basedir= $nextcloud{PHPBaseDir} || '';
+    $open_basedir = "/usr/share/nextcloud:/var/lib/nextcloud:/var/log/nextcloud.log:/var/lib/php/nextcloud:/home/e-smith/files/nextcloud:/dev/urandom:/proc/meminfo:/usr/share/GeoIP/GeoLite2-Country.mmdb:/proc/cpuinfo:$open_basedir";
+    my $id = 'nextcloud';
+    my $max_children = $nextcloud{'PHPmaxChildren'} || 20;
+    my $min_spare_servers = $nextcloud{'PHPminServers'} || 4;
+    my $start_servers = $nextcloud{'PHPstartServers'} || 6;
+    my $max_spare_servers = $nextcloud{'PHPmaxServers'} || 8;
+    my $max_requests = $nextcloud{'PHPmaxRequests'} || 1000;
+    my $opcacheBuff = $nextcloud{'opcache.interned_strings_buffer'} || 64;
+    my $opcacheMem = $nextcloud{'opcache.memory_consumption'} || 512;
+    my $opcacheAccFiles = $nextcloud{'opcache.max_accelerated_files'} || 65406;
+    $min_spare_servers = ( $min_spare_servers > $max_spare_servers ) ? printf("%.0f",$max_spare_servers/2) : $min_spare_servers;
+    $start_servers = ( $start_servers > $max_spare_servers ) ? printf("%.0f", $max_spare_servers /2 +  $min_spare_servers/2  ) : $start_servers;
+
+    $OUT .=<<_EOF;
+
+[php$PHP_VERSION-$id]
+user = www
+group = www
+listen.owner = root
+listen.group = www
+listen.mode = 0660
+listen = /var/run/php-fpm/php$PHP_VERSION-$id.sock
+pm = dynamic
+pm.max_children = $max_children
+pm.start_servers = $start_servers
+pm.min_spare_servers = $min_spare_servers
+pm.max_spare_servers = $max_spare_servers
+pm.max_requests = $max_requests
+php_admin_value[sys_temp_dir] = /var/lib/php/$id/tmp
+php_admin_value[session.save_path] = /var/lib/php/$id/session
+php_admin_value[session.gc_maxlifetime] = 86400
+php_admin_value[upload_tmp_dir] = /var/lib/php/$id/tmp
+php_admin_value[error_log] = /var/log/php/$id/error.log
+slowlog = /var/log/php/nextcloud/slow.log
+php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f php@{ $DomainName }
+php_admin_flag[display_errors] = off
+php_admin_flag[log_errors] = on
+php_admin_value[error_log] = syslog
+php_admin_value[memory_limit] = $memory_limit
+php_admin_value[max_execution_time] = 3600
+php_admin_value[post_max_size] = $max_upload_size
+php_admin_value[upload_max_filesize] = $max_upload_size
+php_admin_value[disable_functions] = system, show_source, symlink, dl, passthru 
+php_admin_value[open_basedir] = $open_basedir
+php_admin_flag[allow_url_fopen] = on
+php_admin_flag[file_upload] = on
+php_admin_flag[session.cookie_httponly] = on
+php_admin_flag[allow_url_include] = off
+php_admin_value[session.save_handler] = files
+php_admin_flag[output_buffering] = off
+
+; Set opcache settings 
+;php_value[opcache.enable]=1 ;if already set in php.d/20-opcache.ini will issue warning
+; we disable file caching as it crashes opcache on php81 (/var/lib/php/$id/opcache)
+; will only slow on php restart as it needs cache rebuilding instead of loading the file cache.
+php_value[opcache.file_cache]  = 
+php_value[opcache.enable_cli]  = 1
+php_value[opcache.interned_strings_buffer]  = $opcacheBuff
+php_value[opcache.max_accelerated_files]  = $opcacheAccFiles
+php_value[opcache.memory_consumption]  = $opcacheMem
+php_value[opcache.save_comments]  = 1
+php_value[opcache.revalidate_freq]  = 1
+php_value[opcache.jit] = off
+_EOF
+
+  }
+  else{
+    $OUT .= '; Nextcloud is disabled';
+  }
+} 
+}
+

root/etc/fail2ban/filter.d/nextcloud.conf

@@ -0,0 +1,5 @@
+[Definition]
+failregex={"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>\)","level":2,"time":".*"}
+
+ignoreregex =
+

root/etc/logrotate.d/nextcloud

@@ -0,0 +1,9 @@
+/home/e-smith/files/nextcloud/data/nextcloud.log {
+  compress
+  delaycompress
+  missingok
+  notifempty
+  su www www
+  create 640 www www
+}
+

root/etc/sudoers.d/90_nextcloud

@@ -0,0 +1 @@
+Defaults:root !requiretty

root/usr/bin/nc_dbupdate

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+/usr/bin/occ  db:add-missing-indices
+/usr/bin/occ  db:add-missing-primary-keys
+/usr/bin/occ  db:convert-filecache-bigint

root/usr/bin/occ

@@ -0,0 +1,8 @@
+#!/bin/bash
+majversion=$((/usr/bin/grep -Eo "'version'.*[0-9]{2}\." /usr/share/nextcloud/config/config.php 2>/dev/null || echo "26" )|/usr/bin/grep -Eo "[0-9]{2}"|head -1)
+memory=$(/sbin/e-smith/config getprop nextcloud memory_limit|| echo "1024M")
+myphp=/usr/bin/php81
+if [[ $majversion -le '24' ]]; then 
+  myphp=/usr/bin/php74
+fi
+/usr/sbin/runuser -u www -- $myphp -d memory_limit=$memory -d apc.enable_cli=1 /usr/share/nextcloud/occ "$@"