#!/usr/bin/with-contenv bash
source /assets/functions/00-container
prepare_service single
PROCESS_NAME="libreoffice-online"
sanity_var "ALLOWED_HOSTS" "Allowed Hostnames"
print_debug "Creating directories and setting up logging"
mkdir -p "${LOG_PATH}"
touch "${LOG_PATH}"/"${LOG_FILE}"
chown -R lool "${LOG_PATH}"
print_debug "Setting up DNS Resolution"
rm /opt/lool/systemplate/etc/resolv.conf
cp /etc/hosts /opt/lool/systemplate/etc/
cp /etc/resolv.conf /opt/lool/systemplate/etc/
### Custom File Support
if [ -d /assets/custom ] ; then
print_warn "Custom Files Found, Copying over top of Master.."
cp -R /assets/custom/* /opt/lool/share/
chown -R lool. /opt/lool/share/
fi
### Execute Custom Scripts if exist to modify parts of the system
if [ -d /assets/custom-scripts/ ] ; then
print_warn "Found Custom Scripts to Execute"
for f in $(find /assets/custom-scripts/ -name \*.sh -type f); do
print_warn "Running Script ${f}"
chmod +x "${f}"
${f}
done
fi
if var_true "${ENABLE_TLS}" ; then
print_debug "TLS Enabled"
if [ ! -d "${TLS_CERT_PATH}" ] || [ ! -f "${TLS_KEY_FILENAME}" ] || [ ! -f "${TLS_CA_FILENAME}" ] || [ ! -f "${TLS_CERT_FILENAME}" ] ; then
print_debug "No TLS Certificates found"
if var_true "${ENABLE_TLS_CERT_GENERATE}" ; then
print_debug "TLS Certificate Autogeneration"
mkdir -p "$TLS_CERT_PATH"
# Generate new SSL certificate instead of using the default
print_notice "Auto Generating Self Signed Certificates"
mkdir -p /tmp/ssl/
cd /tmp/ssl/
mkdir -p certs/ca
silent openssl genrsa -out certs/ca/root.key.pem 2048
silent openssl req -x509 -new -nodes -key certs/ca/root.key.pem -days 9131 -out certs/ca/root.crt.pem -subj "/C=XX/ST=XX/L=XX/O=Dummy
Authority/CN=Dummy Authority"
mkdir -p certs/{servers,tmp}
mkdir -p "certs/servers/localhost"
silent openssl genrsa -out "certs/servers/localhost/privkey.pem" 2048
if test "${cert_domain-set}" == set; then
silent openssl req -key "certs/servers/localhost/privkey.pem" -new -sha256 -out "certs/tmp/localhost.csr.pem" -subj "/C=XX/ST=XX/L=XX/O=Dummy Authority/CN=localhost"
else
silent openssl req -key "certs/servers/localhost/privkey.pem" -new -sha256 -out "certs/tmp/localhost.csr.pem" -subj "/C=XX/ST=XX/L=XX/O=Dummy Authority/CN=${cert_domain}"
fi
silent openssl x509 -req -in "certs/tmp/localhost.csr.pem" -CA "certs/ca/root.crt.pem" -CAkey "certs/ca/root.key.pem" -CAcreateserial -out "certs/servers/localhost/cert.pem" -days 9131
cp -R certs/servers/localhost/privkey.pem "${TLS_CERT_PATH}"/"${TLS_KEY_FILENAME}"
cp -R certs/servers/localhost/cert.pem "${TLS_CERT_PATH}"/"${TLS_CERT_FILENAME}"
cp -R certs/ca/root.crt.pem "${TLS_CERT_PATH}"/"${TLS_CA_FILENAME}"
rm -rf /tmp/ssl
chown -R lool "${TLS_CERT_PATH}"
else
if [ ! -f "${TLS_CERT_PATH}/${TLS_KEY_FILENAME}" ] || [ ! -f "${TLS_CERT_PATH}/${TLS_CA_FILENAME}" ] || [ ! -f "${TLS_CERT_PATH}/${TLS_CERT_FILENAME}" ] ; then
print_error "TLS Certificates missing... Please switch to autogenerate mode, or place your certifcates in the correct location."
fi
fi
fi
fi
if [ "$SETUP_TYPE" = "AUTO" ]; then
print_notice "Autogenerating Configuration File"
### Replace Configuration directives
sed -i -e "s|.*|${DICTIONARIES}|g" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*|${SYS_TEMPLATE_PATH}|g" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*|${CHILD_ROOT_PATH}|g" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*|${ENABLE_MOUNT_JAIL}|g" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*|${HOSTNAME}|g" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*|${FILE_SERVER_ROOT_PATH}|g" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*|${MEMORY_USAGE_MAX}|g" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*|${PRESPAWN_CHILD_PROCESSES}|g" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/max_concurrency>|${MAX_THREADS_DOCUMENT}<\/max_concurrency>|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/batch_priority>|${BATCH_PRIORITY}<\/batch_priority>|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/document_signing_url>|${DOCUMENT_SIGNING_URL}<\/document_signing_url>|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/redlining_as_comments>|${REDLINING_AS_COMMENTS}<\/redlining_as_comments>|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/idle_timeout_secs>|${IDLE_UNLOAD_TIMEOUT}<\/idle_timeout_secs>|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/idlesave_duration_secs>|${IDLE_SAVE}<\/idlesave_duration_secs>|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/autosave_duration_secs>|${AUTO_SAVE}<\/autosave_duration_secs>|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/always_save_on_exit>|${ALWAYS_SAVE_ON_EXIT}<\/always_save_on_exit>|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/limit_virt_mem_mb>|${MEMORY_VIRT_LIMIT}<\/limit_virt_mem_mb>|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/limit_stack_mem_kb>|${MEMORY_STACK_LIMIT}<\/limit_stack_mem_kb>|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/limit_file_size_mb>|${FILE_SIZE_LIMIT}<\/limit_file_size_mb>|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/limit_num_open_files>|${MAX_OPEN_FILES}<\/limit_num_open_files>|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/limit_load_secs>|${MAX_FILE_LOAD_LIMIT}<\/limit_load_secs>|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/limit_convert_secs>|${MAX_CONVERT_LIMIT}<\/limit_convert_secs>|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*>|${ENABLE_CLEANUP}>|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/cleanup_interval_ms>|${CLEANUP_INTERVAL}<\/cleanup_interval_ms>|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/bad_behavior_period_secs>|${CLEANUP_BAD_BEHAVIOUR_TIME}<\/bad_behavior_period_secs>|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/|<${CLEANUP_IDLE_TIME}<\/|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/limit_dirty_mem_mb>|${CLEANUP_LIMIT_DIRTY_MEMORY}<\/limit_dirty_mem_mb>|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/limit_cpu_per>|${CLEANUP_LIMIT_CPU_PER}<\/limit_cpu_per>|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/out_of_focus_timeout_secs>|${USER_OUT_OF_FOCUS_TIMEOUT}<\/out_of_focus_timeout_secs>|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/idle_timeout_secs>|${USER_IDLE_TIMEOUT}<\/idle_timeout_secs>|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/loleaflet_html>|${LOLEAFLET_HTML}<\/loleaflet_html>|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/color>|${LOG_COLOURIZE}<\/color>|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/level>|${LOG_LEVEL}<\/level>|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/protocol>|${LOG_CLIENT_CONSOLE}<\/protocol>|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/lokit_sal_log>|${LOG_LIBREOFFICE}<\/lokit_sal_log>|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/loleaflet_logging>|${LOG_CLIENT_CONSOLE}<\/loleaflet_logging>|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/proto>|${NETWORK_PROTOCOL}<\/proto>|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/frame_ancestors>|${FRAME_ANCESTORS}<\/frame_ancestors>|" /etc/loolwsd/loolwsd.xml
#sed -i -e "s|localhost<\/host>|${ALLOWED_HOSTS}<\/host>|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/connection_timeout>|${CONNECTION_TIMEOUT}<\/connection_timeout>|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/ca_file_path>|${TLS_CERT_PATH}/${TLS_CA_FILENAME}<\/ca_file_path>|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/cert_file_path>|${TLS_CERT_PATH}/${TLS_CERT_FILENAME}<\/cert_file_path>|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/key_file_path>|${TLS_CERT_PATH}/${TLS_KEY_FILENAME}<\/key_file_path>|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/seccomp>|${ENABLE_SECCOMP}<\/seccomp>|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/capabilities>|${ENABLE_CAPABILITIES}<\/capabilities>|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/opacity>|${WATERMARK_OPACITY}<\/opacity>|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/text>|${WATERMARK_TEXT}<\/text>|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/mode>|${INTERFACE}<\/mode>|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|||" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/enable>|${ENABLE_ADMIN_CONSOLE}<\/enable>|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/username>|${ADMIN_USER}<\/username>|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/password>|${ADMIN_PASS}<\/password>|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/limit_data_mem_kb>|${MEMORY_DATA_LIMIT}<\/limit_data_mem_kb>|" /etc/loolwsd/loolwsd.xml
if var_false "${ENABLE_TLS}" ; then
sed -i -E "s|.*<\/enable>|false<\/enable>|" /etc/loolwsd/loolwsd.xml
fi
if var_true "${ENABLE_TLS_REVERSE_PROXY}" ; then
sed -i -E "s|.*<\/termination>|true<\/termination>|" /etc/loolwsd/loolwsd.xml
fi
if var_true "${LOG_ANONYMIZE}"; then
sed -i -e "s|.*<\/anonymize_user_data>|${LOG_ANONYMIZE}<\/anonymize_user_data>|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/anonymization_salt>|${LOG_ANONYMIZE_SALT}<\/anonymization_salt>|" /etc/loolwsd/loolwsd.xml
fi
if [ "$LOG_TYPE" = "FILE" ]; then
sed -i -e "s|.*<\/property>|${LOG_PATH}/${LOG_FILE}<\/property>|" /etc/loolwsd/loolwsd.xml
sed -i -e "s|.*<\/property>|${LOG_FILE_FLUSH}<\/property>|" /etc/loolwsd/loolwsd.xml
sed -i "s||${LOG_PATH}|g" /etc/logrotate.d/loolwsd
else
print_debug "Log: Console"
rm -rf /etc/logrotate.d/loolwsd
fi
### Allowed Hosts
allowed_hosts=$(echo "${ALLOWED_HOSTS}" | tr "," "\n")
for host in $allowed_hosts
do
print_info "Adding Allowed Host: ${host}"
sed -i "/>localhost<\/host>/a \ \ \ \ \ \ \ \ \ \ \ \ \${host}" /etc/loolwsd/loolwsd.xml
done
if var_true "${ALLOW_172_XX_SUBNET}" ; then
print_debug "Allowing 172.16.0.0/12 Subnet"
sed -i "/<\/post_allow>/i \ \ \ \ \ \ \ \ 172\\.1\[6789\]\.\[0-9\]\{1,3\}\.\[0-9\]\{1,3\}<\/host>" /etc/loolwsd/loolwsd.xml
sed -i "/<\/post_allow>/i \ \ \ \ \ \ \ \ 172\\.2\[0-9\]\\.\[0-9\]\{1,3\}\\.\[0-9\]\{1,3\}<\/host>" /etc/loolwsd/loolwsd.xml
sed -i "/<\/post_allow>/i \ \ \ \ \ \ \ \ 172\\.3\[01\]\\.\[0-9\]\{1,3\}\\.\[0-9\]\{1,3\}<\/host>" /etc/loolwsd/loolwsd.xml
fi
fi
# Generate WOPI proof key
if [ ! -f /etc/loolwsd/proof_key.pub ]; then
silent /opt/lool/bin/loolwsd-generate-proof-key
fi
# Enable Config Reload (Restart when /etc/loolwsd/loolwsd.xml changes)
if var_false "${ENABLE_CONFIG_RELOAD}" ; then
print_debug "Disabling Automatic Configuration Reloader"
rm -rf /etc/services.available/11-inotify
fi
print_info "Container Initialization Complete"
liftoff