Several improvements

* logging improvements
* gpg keys import improvements

install

@@ -390,7 +390,7 @@ wo_update_wp_cli() {
 
 wo_install_acme_sh() {
     # check if acme.sh is already installed
-    if [ ! -x /etc/letsencrypt/acme.sh ]; then
+    if [ ! -x /etc/letsencrypt/acme.sh ] && [ ! -d /etc/letsencrypt/{renewal,archive} ]; then
         {
             # clone the git repository
             if [ -d /opt/acme.sh/.git ]; then
@@ -731,75 +731,71 @@ wo_uninstall() {
 }
 
 wo_ufw_setup() {
-
-    # get custom ssh port
-    if [ -f /etc/ssh/sshd_config ]; then
-        CURRENT_SSH_PORT=$(grep "Port" /etc/ssh/sshd_config | awk -F " " '{print $2}')
-    fi
-    # define firewall rules
-    if ! grep -q "LOGLEVEL=low" /etc/ufw/ufw.conf; then
-        ufw logging low
-    fi
-    if ! grep -q 'DEFAULT_OUTPUT_POLICY="ACCEPT"' /etc/default/ufw; then
-        ufw default allow outgoing
-    fi
-    if ! grep -q 'DEFAULT_INPUT_POLICY="DROP"' /etc/default/ufw; then
-        ufw default deny incoming
-    fi
-    if ! grep -q "\-\-dport 22 -j" /etc/ufw/user.rules; then
-        # default ssh port
-        ufw limit 22
-    fi
-
-    # custom ssh port
-    if [ "$CURRENT_SSH_PORT" != "22" ]; then
-        if ! grep -q "\-\-dport $CURRENT_SSH_PORT -j" /etc/ufw/user.rules; then
-            ufw limit "$CURRENT_SSH_PORT"
+    if ! grep -q "ENABLED=yes" /etc/ufw/ufw.conf; then
+        # get custom ssh port
+        if [ -f /etc/ssh/sshd_config ]; then
+            CURRENT_SSH_PORT=$(grep "Port" /etc/ssh/sshd_config | awk -F " " '{print $2}')
+        fi
+        # define firewall rules
+        if ! grep -q "LOGLEVEL=low" /etc/ufw/ufw.conf; then
+            ufw logging low
+        fi
+        if ! grep -q 'DEFAULT_OUTPUT_POLICY="ACCEPT"' /etc/default/ufw; then
+            ufw default allow outgoing
+        fi
+        if ! grep -q 'DEFAULT_INPUT_POLICY="DROP"' /etc/default/ufw; then
+            ufw default deny incoming
+        fi
+        if ! grep -q "\-\-dport 22 -j" /etc/ufw/user.rules; then
+            # default ssh port
+            ufw limit 22
         fi
-    fi
 
-    # nginx
-    if ! grep -q "\-\-dport 80 -j" /etc/ufw/user.rules; then
-        # http
-        ufw allow http
-    fi
-    if ! grep -q "\-\-dport 443 -j" /etc/ufw/user.rules; then
-        # https
-        ufw allow https
-    fi
+        # custom ssh port
+        if [ "$CURRENT_SSH_PORT" != "22" ]; then
+            if ! grep -q "\-\-dport $CURRENT_SSH_PORT -j" /etc/ufw/user.rules; then
+                ufw limit "$CURRENT_SSH_PORT"
+            fi
+        fi
 
-    # ntp
-    if ! grep -q "\-\-dport 123 -j" /etc/ufw/user.rules; then
-        ufw allow 123
-    fi
+        # nginx
+        if ! grep -q "\-\-dport 80 -j" /etc/ufw/user.rules; then
+            # http
+            ufw allow http
+        fi
+        if ! grep -q "\-\-dport 443 -j" /etc/ufw/user.rules; then
+            # https
+            ufw allow https
+        fi
 
-    if ! grep -q "\-\-dport 22222 -j" /etc/ufw/user.rules; then
-        # wordops backend
-        ufw limit 22222
-    fi
-    # enable ufw
-    if [ -n "$CURRENT_SSH_PORT" ]; then
-        if ! grep -q "ENABLED=yes" /etc/ufw/ufw.conf; then
+        # ntp
+        if ! grep -q "\-\-dport 123 -j" /etc/ufw/user.rules; then
+            ufw allow 123
+        fi
+
+        if ! grep -q "\-\-dport 22222 -j" /etc/ufw/user.rules; then
+            # wordops backend
+            ufw limit 22222
+        fi
+        # enable ufw
+        if [ -n "$CURRENT_SSH_PORT" ]; then
             ufw --force enable
-        else
-            ufw reload
+        fi
+
+        # remove ufw from syslog
+        if [ -f /etc/rsyslog.d/20-ufw.conf ]; then
+            sed -i 's/\#\& stop/\& stop/' /etc/rsyslog.d/20-ufw.conf
+            service rsyslog restart
         fi
     fi
-
-    # remove ufw from syslog
-    if [ -f /etc/rsyslog.d/20-ufw.conf ]; then
-        sed -i 's/\#\& stop/\& stop/' /etc/rsyslog.d/20-ufw.conf
-        service rsyslog restart
-    fi
-
 } \
     >> $wo_install_log
 
 wo_cheat_install() {
     curl -sL https://cht.sh/:cht.sh > /usr/local/bin/cht.sh
     chmod +x /usr/local/bin/cht.sh
-    [ ! -h /usr/local/bin/cheat  ] && {
-    ln -s /usr/local/bin/cht.sh /usr/local/bin/cheat
+    [ ! -h /usr/local/bin/cheat ] && {
+        ln -s /usr/local/bin/cht.sh /usr/local/bin/cheat
     }
     curl -sL https://cheat.sh/:bash_completion > /etc/bash_completion.d/cht.sh
 }

tests/travis.sh

@@ -10,7 +10,7 @@ CGREEN="${CSI}1;32m"
 CEND="${CSI}0m"
 
 exit_script() {
-    curl --progress-bar --upload-file /var/log/wo/wordops.log https://transfer.vtbox.net/"$(basename wordops.log)" && echo "" | sudo tee -a $HOME/.transfer.log && echo ""
+    curl --progress-bar --upload-file /var/log/wo/wordops.log https://transfer.vtbox.net/"$(basename wordops.log)" && echo ""
     exit 1
 }
 

wo/cli/plugins/site_functions.py

@@ -736,7 +736,7 @@ def setupwp_plugin(self, plugin_name, plugin_option, plugin_data, data):
                                          ))
         except CommandExecutionError as e:
             Log.failed(self, "Setting plugin {0}"
-                                   .format(plugin_name))
+                       .format(plugin_name))
             Log.debug(self, "{0}".format(e))
             raise SiteError("plugin setup failed")
         else:

wo/cli/plugins/stack.py

@@ -548,6 +548,7 @@ class WOStackController(CementBaseController):
             pargs.proftpd = True
             pargs.utils = True
             pargs.redis = True
+            pargs.security = True
             packages = packages + ['/var/www/22222/htdocs']
 
         if pargs.web:

wo/cli/plugins/stack_pref.py

@@ -26,6 +26,7 @@ from wo.core.variables import WOVariables
 
 
 def pre_pref(self, apt_packages):
+    apt_repo_key = []
     """Pre settings to do before installation packages"""
 
     if (set(["mariadb-server"]).issubset(set(apt_packages)) or
@@ -41,12 +42,8 @@ def pre_pref(self, apt_packages):
                       'MariaDB.pref', 'w') as mysql_pref_file:
                 mysql_pref_file.write(mysql_pref)
             WORepo.add(self, repo_url=WOVariables.wo_mysql_repo)
-            Log.debug(self, 'Adding key for {0}'
-                      .format(WOVariables.wo_mysql_repo))
-            WORepo.add_key(self, '0xcbcb082a1bb943db',
-                           keyserver="keyserver.ubuntu.com")
-            WORepo.add_key(self, '0xF1656F24C74CD1D8',
-                           keyserver="keyserver.ubuntu.com")
+            apt_repo_key = (apt_repo_key +
+                            ['0xcbcb082a1bb943db', '0xF1656F24C74CD1D8'])
     if set(["mariadb-server"]).issubset(set(apt_packages)):
         # generate random 24 characters root password
         chars = ''.join(random.sample(string.ascii_letters, 24))
@@ -114,6 +111,8 @@ def pre_pref(self, apt_packages):
             WORepo.add(self, ppa=WOVariables.wo_nginx_repo)
             Log.debug(self, 'Adding ppa for Nginx')
         else:
+            apt_repo_key = apt_repo_key + WOVariables.wo_nginx_key
+
             WORepo.add(self, repo_url=WOVariables.wo_nginx_repo)
             Log.debug(self, 'Adding repository for Nginx')
             WORepo.add_key(self, WOVariables.wo_nginx_key)
@@ -137,6 +136,7 @@ def pre_pref(self, apt_packages):
             Log.debug(self, 'Adding repo_url of php for debian')
             WORepo.add(self, repo_url=WOVariables.wo_php_repo)
             Log.debug(self, 'Adding deb.sury GPG key')
+            apt_repo_key = apt_repo_key + WOVariables.wo_php_key
             WORepo.add_key(self, WOVariables.wo_php_key)
     # add redis repository
     if set(['redis-server']).issubset(set(apt_packages)):
@@ -145,6 +145,9 @@ def pre_pref(self, apt_packages):
             Log.debug(self, 'Adding ppa for redis')
             WORepo.add(self, ppa=WOVariables.wo_redis_repo)
 
+    if (apt_repo_key):
+        WORepo.add_key(self, apt_repo_key)
+
 
 def post_pref(self, apt_packages, packages, upgrade=False):
     """Post activity after installation of packages"""
@@ -367,7 +370,7 @@ def post_pref(self, apt_packages, packages, upgrade=False):
             WOTemplate.render(
                 self,
                 '/etc/nginx/sites-available/22222',
-                '22222.mustache', data, overwrite=False)
+                '22222.mustache', data, overwrite=True)
             passwd = ''.join([random.choice
                               (string.ascii_letters + string.digits)
                               for n in range(24)])

wo/cli/templates/nextcloud.mustache

@@ -0,0 +1,82 @@
+# WordOps nextcloud configuration
+    add_header X-Robots-Tag none;
+    add_header X-Permitted-Cross-Domain-Policies none;
+    add_header Referrer-Policy no-referrer;
+
+    location = /robots.txt {
+        allow all;
+        log_not_found off;
+        access_log off;
+    }
+
+	# Enable gzip but do not remove ETag headers
+    gzip on;
+    gzip_vary on;
+    gzip_comp_level 4;
+    gzip_min_length 256;
+    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+	    location / {
+        rewrite ^ /index.php$request_uri;
+    }
+
+    location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
+        deny all;
+    }
+    location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
+        deny all;
+    }
+
+    location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
+        fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param PATH_INFO $fastcgi_path_info;
+        fastcgi_param HTTPS on;
+        # Avoid sending the security headers twice
+        fastcgi_param modHeadersAvailable true;
+        # Enable pretty urls
+        fastcgi_param front_controller_active true;
+        fastcgi_pass {{upstream}};
+        fastcgi_intercept_errors on;
+        fastcgi_request_buffering off;
+    }
+
+    location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
+        try_files $uri/ =404;
+        index index.php;
+    }
+
+    # Adding the cache control header for js, css and map files
+    # Make sure it is BELOW the PHP block
+    location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
+        try_files $uri /index.php$request_uri;
+        add_header Cache-Control "public, max-age=15778463";
+        # Add headers to serve security related headers (It is intended to
+        # have those duplicated to the ones above)
+        # Before enabling Strict-Transport-Security headers please read into
+        # this topic first.
+        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
+        #
+        # WARNING: Only add the preload option once you read about
+        # the consequences in https://hstspreload.org/. This option
+        # will add the domain to a hardcoded list that is shipped
+        # in all major browsers and getting removed from this list
+        # could take several months.
+        add_header X-Content-Type-Options nosniff;
+        add_header X-XSS-Protection "1; mode=block";
+        add_header X-Robots-Tag none;
+        add_header X-Download-Options noopen;
+        add_header X-Permitted-Cross-Domain-Policies none;
+        add_header Referrer-Policy no-referrer;
+
+        # Optional: Don't log access to assets
+        access_log off;
+    }
+
+    location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
+        try_files $uri /index.php$request_uri;
+        # Optional: Don't log access to other assets
+        access_log off;
+    }

wo/core/apt_repo.py

@@ -83,7 +83,8 @@ class WORepo():
         default keyserver is hkp://keyserver.ubuntu.com
         user can provide other keyserver with keyserver="hkp://xyz"
         """
+        all_keys = ' '.join(keyids)
         WOShellExec.cmd_exec(self, "apt-key adv --keyserver {serv}"
                              .format(serv=(keyserver or
                                            "hkp://keyserver.ubuntu.com")) +
-                             " --recv-keys {key}".format(key=keyids))
+                             " --recv-keys {keys}".format(key=all_keys))

wo/core/variables.py

@@ -109,7 +109,7 @@ class WOVariables():
                          .format(wo_deb_repo))
 
     wo_nginx = ["nginx-custom", "nginx-wo"]
-    wo_nginx_key = '188C9FB063F0247A'
+    wo_nginx_key = ['188C9FB063F0247A']
 
     # PHP repo and packages
     if wo_distro == 'ubuntu':
@@ -118,7 +118,7 @@ class WOVariables():
         wo_php_repo = (
             "deb https://packages.sury.org/php/ {codename} main"
             .format(codename=wo_platform_codename))
-        wo_php_key = 'AC0E47584A7A714D'
+        wo_php_key = ['AC0E47584A7A714D']
 
     wo_php = ["php7.2-fpm", "php7.2-curl", "php7.2-gd", "php7.2-imap",
               "php7.2-readline", "php7.2-common", "php7.2-recode",
@@ -150,8 +150,6 @@ class WOVariables():
     else:
         wo_mysql_client = ["mariadb-client", "python3-mysql.connector"]
 
-
-
     wo_fail2ban = ["fail2ban"]
     wo_clamav = ["clamav", "clamav-freshclam"]