#!/bin/bash
#
# seafile-server-installer/seafile-server-centos-7-amd64
#
# Copyright 2015, Alexander Jackson <alexander.jackson@seafile.de>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#
#

if [[ $HOME == "" ]]; then
    export HOME=/root
fi

if [[ $SEAFILE_DEBUG != "" ]]; then
    set -x
fi
set -e

if [[ "$#" -ne 1 ]]; then
    echo "You must specif Seafile version to install"
    echo "Like: $0 7.0.0"
    exit 1
fi

clear
cat <<EOF

  This script installs the community edition of the Seafile Server on a Centos 7 64bit
  - Newest Seafile server version, MariaDB, Memcached, NGINX -
  -----------------------------------------------------------------

  This installer is meant to run on a freshly installed machine
  only. If you run it on a production server things can and
  probably will go terrible wrong and you will loose valuable
  data!

  For questions or suggestions please contact us at
  support@seafile.com

  -----------------------------------------------------------------

  Possible options:
  1 = Seafile Community (Free) Edition (CE)
  2 = Seafile Professional Edition (PRO)

EOF

if [[ ${SEAFILE_PRO} == "" ]]; then
    PS3="Which Seafile version would you like to install? "
    select SEAFILE_SERVER_VERSION in CE PRO ABORT; do
        case "${SEAFILE_SERVER_VERSION}" in
            ABORT)
                echo "Aborting"
                break
                ;;
            "")
                echo "$REPLY: Wrong value. Select 1 or 2."
                ;;
            *)
                if [[ ${SEAFILE_SERVER_VERSION} = "PRO" ]]; then
                    SEAFILE_PRO=1
                else
                    SEAFILE_PRO=0
                fi
                break
        esac
    done
fi

is_pro() {
    if [[ "$SEAFILE_PRO" == "1" ]]; then
        return 0
    else
        return 1
    fi
}

echo
if is_pro; then
    echo "This script will install Seafile Professional Edition for you."
else
    echo "This script will install Seafile Community Edition for you."
fi
echo

# -------------------------------------------
# Vars
# -------------------------------------------
SEAFILE_ADMIN=admin@seafile.local
SEAFILE_SERVER_USER=seafile
SEAFILE_SERVER_HOME=/opt/seafile
IP_OR_DOMAIN=127.0.0.1
SEAFILE_VERSION=$1
TIME_ZONE=Asia/Shanghai

if is_pro; then
    SEAFILE_SERVER_PACKAGE=seafile-pro-server_${SEAFILE_VERSION}_x86-64.tar.gz
    if [[ ! -e /opt/$SEAFILE_SERVER_PACKAGE ]]; then
        echo
        echo "You must download \"$SEAFILE_SERVER_PACKAGE\" to the /opt/ folder before running this script!"
        echo
        exit 1
    fi
    INSTALLPATH=${SEAFILE_SERVER_HOME}/seafile-pro-server-${SEAFILE_VERSION}/
else
    SEAFILE_SERVER_PACKAGE=seafile-server_${SEAFILE_VERSION}_x86-64.tar.gz
    SEAFILE_SERVER_PACKAGE_URL=http://seafile-downloads.oss-cn-shanghai.aliyuncs.com/${SEAFILE_SERVER_PACKAGE}
    INSTALLPATH=${SEAFILE_SERVER_HOME}/seafile-server-${SEAFILE_VERSION}/
fi


# -------------------------------------------
# Ensure we are running the installer as root
# -------------------------------------------
if [[ $EUID -ne 0 ]]; then
  echo "  Aborting because you are not root" ; exit 1
fi


# -------------------------------------------
# Abort if directory /opt/seafile/ exists
# -------------------------------------------
if [[ -d "${SEAFILE_SERVER_HOME}" ]] ;
then
  echo "  Aborting because directory ${SEAFILE_SERVER_HOME} already exist" ; exit 1
fi

# -------------------------------------------
# Abort if directory /opt/seafile/ exists
# -------------------------------------------
if getent passwd ${SEAFILE_SERVER_USER} > /dev/null 2>&1 ;
then
  echo "Aborting because user ${SEAFILE_SERVER_USER} already exist" ; exit 1
fi

# -------------------------------------------
# Setup permissive selinux
# -------------------------------------------
# runtime
enforce=`getenforce`
if [[ "${enforce}" != "Disabled" ]]; then
    setenforce 0
fi
# permanently
sed -i 's/^SELINUX=.*/SELINUX=permissive/' /etc/selinux/config

# -------------------------------------------
# Setup firewall
# -------------------------------------------
yum install firewalld fail2ban -y
# https://www.optimox.de/tutorials/linux-allgemein/centos-firewall-konfigurieren-mit-firewalld
systemctl status firewalld &> /dev/null \
&& for i in ssh http https ; do firewall-cmd --zone=public --add-service=${i} --permanent ; done \
&& firewall-cmd --reload

# -------------------------------------------
# Additional requirements
# -------------------------------------------
# extra packages for enterprise linux

yum install epel-release -y
yum upgrade -y

if [[ ${SEAFILE_VERSION} =~ 6\.[0-9]*\.[0-9]* ]]; then
    yum install python-setuptools MySQL-python memcached python-urllib3 \
        pwgen curl openssl python-ldap java-1.8.0-openjdk poppler-utils libreoffice python-requests \
        libreoffice-headless libreoffice-pyuno wqy-microhei-fonts wqy-zenhei-fonts wqy-unibit-fonts \
        gcc libffi-devel python-devel openssl-devel libmemcached libmemcached-devel python2-pip -y

    pip install pylibmc==1.6.0 django-pylibmc==0.6.1
    pip install --timeout=3600 Pillow==4.3.0
    pip install psd-tools==1.4
else
    yum install python-setuptools MySQL-python memcached python-urllib3 \
        pwgen curl openssl python-ldap java-1.8.0-openjdk poppler-utils libreoffice \
        libreoffice-headless libreoffice-pyuno wqy-microhei-fonts wqy-zenhei-fonts wqy-unibit-fonts \
        libffi-devel openssl-devel libmemcached -y
fi

# start memcached on system boot
systemctl enable --now memcached

# -------------------------------------------
# Install nginx
# -------------------------------------------
yum install nginx -y
systemctl enable nginx
rm -rf /etc/nginx/conf.d/*

cat > /etc/nginx/conf.d/seafile.conf << EOF
log_format seafileformat '\$http_x_forwarded_for \$remote_addr [\$time_local] "\$request" \$status \$body_bytes_sent "\$http_referer" "\$http_user_agent" \$upstream_response_time';

server {
    listen 80;
    server_name seafile.example.com;

    proxy_set_header X-Forwarded-For \$remote_addr;

    location / {
         proxy_pass         http://127.0.0.1:8000;
         proxy_set_header   Host \$host;
         proxy_set_header   X-Real-IP \$remote_addr;
         proxy_set_header   X-Forwarded-For \$proxy_add_x_forwarded_for;
         proxy_set_header   X-Forwarded-Host \$server_name;
         proxy_set_header   X-Forwarded-Proto \$scheme;
         proxy_read_timeout  1200s;

         # used for view/edit office file via Office Online Server
         client_max_body_size 0;

         access_log      /var/log/nginx/seahub.access.log seafileformat;
         error_log       /var/log/nginx/seahub.error.log;
    }
        
    location /seafhttp {
        rewrite ^/seafhttp(.*)$ \$1 break;
        proxy_pass http://127.0.0.1:8082;
        client_max_body_size 0;
        proxy_set_header   X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_connect_timeout  36000s;
        proxy_read_timeout  36000s;

        access_log      /var/log/nginx/seafhttp.access.log seafileformat;
        error_log       /var/log/nginx/seafhttp.error.log;
    }
    location /media {
        root ${SEAFILE_SERVER_HOME}/seafile-server-latest/seahub;
    }
    location /seafdav {
        fastcgi_pass    127.0.0.1:8080;
        fastcgi_param   SCRIPT_FILENAME     \$document_root\$fastcgi_script_name;
        fastcgi_param   PATH_INFO           \$fastcgi_script_name;
        fastcgi_param   SERVER_PROTOCOL     \$server_protocol;
        fastcgi_param   QUERY_STRING        \$query_string;
        fastcgi_param   REQUEST_METHOD      \$request_method;
        fastcgi_param   CONTENT_TYPE        \$content_type;
        fastcgi_param   CONTENT_LENGTH      \$content_length;
        fastcgi_param   SERVER_ADDR         \$server_addr;
        fastcgi_param   SERVER_PORT         \$server_port;
        fastcgi_param   SERVER_NAME         \$server_name;
        fastcgi_param   REMOTE_ADDR         \$remote_addr;

        client_max_body_size 0;

        access_log      /var/log/nginx/seafdav.access.log seafileformat;
        error_log       /var/log/nginx/seafdav.error.log;
    }
}
EOF

# Create optimized nginx.conf
cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.backup
cat > /etc/nginx/nginx.conf <<'ENDOFFILE'
user nginx nginx;
worker_processes 4;

events {
  worker_connections 8096;
  multi_accept on;
  use epoll;
}

pid /var/run/nginx.pid;
worker_rlimit_nofile 40000;

http {
  server_tokens off;
  server_names_hash_bucket_size 128;
  client_max_body_size 50M;
  include /etc/nginx/mime.types;
  default_type application/octet-stream;
  log_format main '$remote_addr - $remote_user [$time_local] "$request" '
  '$status $body_bytes_sent "$http_referer" '
  '"$http_user_agent" "$http_x_forwarded_for"';
  access_log /var/log/nginx/access.log main;
  error_log /var/log/nginx/error.log warn;
  sendfile on;
  tcp_nopush on;
  tcp_nodelay on;
  client_body_timeout 12;
  client_header_timeout 12;
  keepalive_timeout 15;
  send_timeout 10;
  # Fully disabled gzip compression to mitigate Django BREACH attack: https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/
  gzip off;
  #gzip_vary on;
  #gzip_proxied expired no-cache no-store private auth any;
  #gzip_comp_level 9;
  #gzip_min_length 10240;
  #gzip_buffers 16 8k;
  #gzip_http_version 1.1;
  #gzip_types text/plain text/css text/xml text/javascript application/javascript application/x-javascript application/xml font/woff2;
  #gzip_disable "MSIE [1-6].";
  include /etc/nginx/conf.d/*.conf;
}
ENDOFFILE

# Fix NGINX worker_processes to number of CPU cores
CPUS=$(cat /proc/cpuinfo | grep processor | wc | awk '{ print $1 }')
eval "sed -i 's/worker_processes.*/worker_processes  $CPUS;/g' /etc/nginx/nginx.conf"

systemctl restart nginx

# -------------------------------------------
# MariaDB
# -------------------------------------------
if [[ -f "/root/.my.cnf" ]] ;
then
    echo "MariaDB installed before, skip this part"
    SQLROOTPW=`sed -n 's/password=//p' /root/.my.cnf`
else
    yum install mariadb-server -y
    systemctl start mariadb
    systemctl enable mariadb

    SQLROOTPW=$(pwgen)

    mysqladmin -u root password $SQLROOTPW

    cat > /root/.my.cnf <<EOF
[client]
user=root
password=$SQLROOTPW
EOF

  chmod 600 /root/.my.cnf
fi


# -------------------------------------------
# Seafile init script
# -------------------------------------------
cat > /etc/systemd/system/seafile.service << EOF
[Unit]
Description=Seafile Server
After=network.target remote-fs.target mariadb.service

[Service]
ExecStart=${SEAFILE_SERVER_HOME}/seafile-server-latest/seafile.sh start
ExecStop=${SEAFILE_SERVER_HOME}/seafile-server-latest/seafile.sh stop
User=${SEAFILE_SERVER_USER}
Group=${SEAFILE_SERVER_USER}
LimitNOFILE=infinity
Type=oneshot
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target
EOF
systemctl enable seafile

cat > /etc/systemd/system/seahub.service << EOF
[Unit]
Description=Seafile Seahub
After=network.target seafile.service

[Service]
ExecStart=${SEAFILE_SERVER_HOME}/seafile-server-latest/seahub.sh start
ExecStop=${SEAFILE_SERVER_HOME}/seafile-server-latest/seahub.sh stop
User=${SEAFILE_SERVER_USER}
Group=${SEAFILE_SERVER_USER}
Type=oneshot
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target
EOF
systemctl enable seahub

# Seafile restart script
cat > /usr/local/sbin/seafile-server-restart << 'EOF'
#!/bin/bash
for ACTION in stop start ; do
    for SERVICE in seafile seahub ; do
      systemctl ${ACTION} ${SERVICE}
    done
done
EOF
chmod 700 /usr/local/sbin/seafile-server-restart

# -------------------------------------------
# Seafile
# -------------------------------------------
mkdir -p ${SEAFILE_SERVER_HOME}/installed
cd ${SEAFILE_SERVER_HOME}
if ! is_pro && [[ ! -e /opt/${SEAFILE_SERVER_PACKAGE} ]]; then
    curl -OL ${SEAFILE_SERVER_PACKAGE_URL}
else
    cp /opt/${SEAFILE_SERVER_PACKAGE} .
fi
tar xzf ${SEAFILE_SERVER_PACKAGE}

mv ${SEAFILE_SERVER_PACKAGE} installed


# -------------------------------------------
# Seafile DB
# -------------------------------------------
if [[ -f "/opt/seafile.my.cnf" ]] ;
then
  echo "MariaDB installed before, skip this part"
  SQLSEAFILEPW=`sed -n 's/password=//p' /opt/seafile.my.cnf`
else
  SQLSEAFILEPW=$(pwgen)

  cat > /opt/seafile.my.cnf <<EOF
[client]
user=seafile
password=$SQLSEAFILEPW
EOF

  chmod 600 /opt/seafile.my.cnf
fi

# -------------------------------------------
# Add seafile user
# -------------------------------------------
useradd --system --comment "${SEAFILE_SERVER_USER}" ${SEAFILE_SERVER_USER} --home-dir  ${SEAFILE_SERVER_HOME}

# -------------------------------------------
# Go to /opt/seafile/seafile-pro-server-${SEAFILE_VERSION}
# -------------------------------------------
cd $INSTALLPATH

# -------------------------------------------
# Vars - Don't touch these unless you really know what you are doing!
# -------------------------------------------
TOPDIR=$(dirname "${INSTALLPATH}")
DEFAULT_CONF_DIR=${TOPDIR}/conf
SEAFILE_DATA_DIR=${TOPDIR}/seafile-data
DEST_SETTINGS_PY=${TOPDIR}/conf/seahub_settings.py

mkdir -p ${DEFAULT_CONF_DIR}

# -------------------------------------------
# Create ccnet, seafile, seahub conf using setup script
# -------------------------------------------

./setup-seafile-mysql.sh auto -u seafile -w ${SQLSEAFILEPW} -r ${SQLROOTPW}

# -------------------------------------------
# Configure Seafile WebDAV Server(SeafDAV)
# -------------------------------------------
sed -i 's/enabled = .*/enabled = true/' ${DEFAULT_CONF_DIR}/seafdav.conf
sed -i 's/fastcgi = .*/fastcgi = true/' ${DEFAULT_CONF_DIR}/seafdav.conf
sed -i 's/share_name = .*/share_name = \/seafdav/' ${DEFAULT_CONF_DIR}/seafdav.conf

# -------------------------------------------
# Configuring seahub_settings.py
# -------------------------------------------
cat >> ${DEST_SETTINGS_PY} <<EOF

CACHES = {
    'default': {
        'BACKEND': 'django_pylibmc.memcached.PyLibMCCache',
        'LOCATION': '127.0.0.1:11211',
    },
    'locmem': {
        'BACKEND': 'django.core.cache.backends.locmem.LocMemCache',
    },
}
COMPRESS_CACHE_BACKEND = 'locmem'

# EMAIL_USE_TLS                       = False
# EMAIL_HOST                          = 'localhost'
# EMAIL_HOST_USER                     = ''
# EMAIL_HOST_PASSWORD                 = ''
# EMAIL_PORT                          = '25'
# DEFAULT_FROM_EMAIL                  = EMAIL_HOST_USER
# SERVER_EMAIL                        = EMAIL_HOST_USER

TIME_ZONE                           = '${TIME_ZONE}'
SITE_BASE                           = 'http://${IP_OR_DOMAIN}'
SITE_NAME                           = 'Seafile Server'
SITE_TITLE                          = 'Seafile Server'
SITE_ROOT                           = '/'
ENABLE_SIGNUP                       = False
ACTIVATE_AFTER_REGISTRATION         = False
SEND_EMAIL_ON_ADDING_SYSTEM_MEMBER  = True
SEND_EMAIL_ON_RESETTING_USER_PASSWD = True
CLOUD_MODE                          = False
FILE_PREVIEW_MAX_SIZE               = 30 * 1024 * 1024
SESSION_COOKIE_AGE                  = 60 * 60 * 24 * 7 * 2
SESSION_SAVE_EVERY_REQUEST          = False
SESSION_EXPIRE_AT_BROWSER_CLOSE     = False

FILE_SERVER_ROOT                    = 'http://${IP_OR_DOMAIN}/seafhttp'
EOF


# -------------------------------------------
# Backup check_init_admin.py befor applying changes
# -------------------------------------------
cp ${INSTALLPATH}/check_init_admin.py ${INSTALLPATH}/check_init_admin.py.backup


# -------------------------------------------
# Set admin credentials in check_init_admin.py
# -------------------------------------------
SEAFILE_ADMIN_PW=$(pwgen)
eval "sed -i 's/= ask_admin_email()/= \"${SEAFILE_ADMIN}\"/' ${INSTALLPATH}/check_init_admin.py"
eval "sed -i 's/= ask_admin_password()/= \"${SEAFILE_ADMIN_PW}\"/' ${INSTALLPATH}/check_init_admin.py"

# -------------------------------------------
# Start and stop Seafile eco system. This generates the initial admin user.
# -------------------------------------------
${INSTALLPATH}/seafile.sh start
${INSTALLPATH}/seahub.sh start
sleep 2                         # sleep for a while, otherwise seahub will not be stopped
${INSTALLPATH}/seahub.sh stop
sleep 1
${INSTALLPATH}/seafile.sh stop


# -------------------------------------------
# Restore original check_init_admin.py
# -------------------------------------------
mv ${INSTALLPATH}/check_init_admin.py.backup ${INSTALLPATH}/check_init_admin.py

if is_pro; then
    PRO_PY=${INSTALLPATH}/pro/pro.py
    $PYTHON ${PRO_PY} setup --mysql --mysql_host=127.0.0.1 --mysql_port=3306 --mysql_user=seafile --mysql_password=${SQLSEAFILEPW} --mysql_db=seahub_db
fi

# -------------------------------------------
# Fix permissions
# -------------------------------------------
chown ${SEAFILE_SERVER_USER}:${SEAFILE_SERVER_USER} -R ${SEAFILE_SERVER_HOME}
if [[ -d /tmp/seafile-office-output/ ]]; then
    chown ${SEAFILE_SERVER_USER}:${SEAFILE_SERVER_USER} -R /tmp/seafile-office-output/
fi

# -------------------------------------------
# Restart seafile server
# -------------------------------------------
/usr/local/sbin/seafile-server-restart

# -------------------------------------------
# Final report
# -------------------------------------------
cat > ${TOPDIR}/aio_seafile-server.log<<EOF

  Your Seafile server is installed
  -----------------------------------------------------------------

  Server Address:      http://${IP_OR_DOMAIN}

  Seafile Admin:       ${SEAFILE_ADMIN}
  Admin Password:      ${SEAFILE_ADMIN_PW}

  Seafile Data Dir:    ${SEAFILE_DATA_DIR}

  Seafile DB Credentials:  Check /opt/seafile.my.cnf
  Root DB Credentials:     Check /root/.my.cnf

  This report is also saved to ${TOPDIR}/aio_seafile-server.log



  Next you should manually complete the following steps
  -----------------------------------------------------------------

  1) Log in to Seafile and configure your server domain via the system
     admin area if applicable.

  2) If this server is behind a firewall, you need to ensure that
     tcp port 80 is open.

  3) Seahub tries to send emails via the local server. Install and
     configure Postfix for this to work or
     check https://manual.seafile.com/config/sending_email.html
     for instructions on how to use an existing email account via SMTP.




  Optional steps
  -----------------------------------------------------------------

  1) Check seahub_settings.py and customize it to fit your needs. Consult
     http://manual.seafile.com/config/seahub_settings_py.html for possible switches.

  2) Setup NGINX with official SSL certificate.

  3) Secure server with iptables based firewall. For instance: UFW or shorewall

  4) Harden system with port knocking, fail2ban, etc.

  5) Enable unattended installation of security updates. Check
     https://wiki.Ubuntu.org/UnattendedUpgrades for details.

  6) Implement a backup routine for your Seafile server.

  7) Update NGINX worker processes to reflect the number of CPU cores.




  Seafile support options
  -----------------------------------------------------------------

  For free community support visit:   https://bbs.seafile.com
  For paid commercial support visit:  https://seafile.com

EOF

chmod 600 ${TOPDIR}/aio_seafile-server.log

clear

cat ${TOPDIR}/aio_seafile-server.log