#!/bin/sh

# OpenSUSE 12.2 Perfect Server ISPConfig script by George Yohng (georgesc#oss3d.com)
# Script Version 3.0

# Note - this script uses btrfs/snapper functionality. When installing OpenSuSE 12.2, select
# minimal configuration, and also btrfs as the root filesystem.

# Do zypper update and reboot before running this script

# Also better change host name manually with yast2 before running this script.

# This script requires the following manual actions:

#    First - when zypper asks for conflicting packages - select an option to uninstall patterns
#    Second - for ISPConfig3 update. One should type 'svn' when the update type if asked
#    All other options are default, one can just press ENTER.

# Also, please change MYSQLROOTPASS below, and be sure to enter it verbatim
# during the installation of mysql_secure_install.

# Important: When setting an MX entry, point it to mail.yourdomain.com rather than
# just to yourdomain.com, and create a CNAME entry for mail. Otherwise it doesn't
# seem to work somehow.

# Platform is x86_64 or i586

THIS_PLATFORM=x86_64

MYSQLROOTPASS=87h4eq2jr2

# Change this to your server name. By default it's configured to server1.mydomain.com

# If your web site hosts a complete domain, such as domain.com, still leave
# something for MY_HOSTNAME. 'server1' or 'host' is a good name.

MY_HOSTNAME=server1
MY_DOMAIN=example.com

# Uncomment to use SVN-version of ISP config, and to run update once the installation is finished
#ISPCONFIG_SVN=yes

# Packages may have been updated, therefore also check the RPM and TARGZ locations below,
# and preferably use the latest versions of everything.

PAM_MYSQL_TARGZ=http://heanet.dl.sourceforge.net/sourceforge/pam-mysql/pam_mysql-0.7RC1.tar.gz
SUPHP_RPM=http://download.opensuse.org/repositories/server:/php/openSUSE_12.2/$THIS_PLATFORM/suphp-0.7.1-5.1.$THIS_PLATFORM.rpm

AWSTATS_RPM=http://download.opensuse.org/repositories/network:/utilities/openSUSE_12.2/noarch/awstats-7.0-14.1.noarch.rpm

JAILKIT_TARGZ=http://olivier.sessink.nl/jailkit/jailkit-2.15.tar.gz

VLOGGER_TARGZ=http://n0rp.chemlab.org/vlogger/vlogger-1.3.tar.gz

RDIFF_BACKUP_TARGZ=http://savannah.nongnu.org/download/rdiff-backup/rdiff-backup-1.2.8.tar.gz

EACCELERATOR_TARBZ2=http://sourceforge.net/projects/eaccelerator/files/eaccelerator/eAccelerator%200.9.6.1/eaccelerator-0.9.6.1.tar.bz2

ISPCONFIG_TAR_GZ=http://downloads.sourceforge.net/ispconfig/ISPConfig-3.0.4.6.tar.gz

MY_FULLHOSTNAME=$MY_HOSTNAME.$MY_DOMAIN

# Disable apparmor (just in case, usually will fail - if installed with the minimal setup)

/etc/init.d/boot.apparmor stop
chkconfig -d boot.apparmor

# Install all packages

zypper -n install -l  snapper

SNAPPER_N1=`snapper create -t pre --description "Pre: Standard Packages Install" -p`


zypper -n remove exim
zypper -n remove patterns-openSUSE-minimal_base-conflicts

zypper -n install -l  mc
zypper -n install -l  SuSEfirewall2 iptables
zypper -n install -l  quota
zypper -n install -l  GeoIP libGeoIP-devel libGeoIP1
zypper -n install -l  findutils libreadline6 compat-readline4 readline-devel libgcc47 glibc-devel findutils-locate gcc flex lynx compat-readline4 libdb-4_8-devel wget gcc-c++ subversion make vim telnet cron iptables iputils man man-pages nano pico patch

zypper -n install -l  postfix postfix-mysql mysql-community-server mysql-community-server-client mysql-community-server-tools 

zypper -n install -l python 
zypper -n install -l getmail
zypper -n install -l fail2ban

zypper -n install -l  cron
zypper -n install -l  libmysqlclient-devel pwgen 

zypper -n install -l  dovecot21 dovecot21-backend-mysql
# fix the library path for dovecot
test -d /lib64 && ln -s /usr/lib64/dovecot/modules /usr/lib/dovecot 

zypper -n install -l  bind 

zypper -n install -l  squirrelmail-beta

zypper -n install -l  apache2 apache2-mod_fcgid
zypper -n install -l  php5-bcmath php5-bz2 php5-calendar php5-ctype php5-curl php5-dom php5-ftp php5-gd php5-gettext php5-gmp php5-iconv php5-imap php5-ldap php5-mbstring php5-mcrypt php5-mysql php5-odbc php5-openssl php5-pcntl php5-pgsql php5-posix php5-shmop php5-snmp php5-soap php5-sockets php5-sqlite php5-sysvsem php5-tokenizer php5-wddx php5-xmlrpc php5-xsl php5-zlib php5-exif php5-fastcgi php5-pear php5-sysvmsg php5-sysvshm ImageMagick curl apache2-mod_php5

zypper -n install -l  spamassassin amavisd-new clamav clamav-db zoo unzip bzip2 unarj perl-DBD-mysql
zypper -n install -l  unrar p7zip
zypper -n install -l  duplicity

zypper install getmail
zypper install fail2ban
zypper install duplicity


# create symlink to the expected place by amavis

mkdir /var/run/clamav
chown vscan.vscan /var/run/clamav
ln -s /var/lib/clamav/clamd-socket /var/run/clamav/clamd

zypper -n install -l  webalizer perl-Date-Manip perl-TimeDate

zypper -n install -l  ntp

zypper -n install -l  php5-devel

zypper -n install -l  phpMyAdmin
zypper -n install -l  pure-ftpd quota

zypper -n install -l  python-devel librsync

zypper -n install -l  iptraf iftop

# install pam

if [ "$THIS_PLATFORM" == "x86_64" ]; then 
    zypper -n install -l  pam-devel pam-32bit pam-devel-32bit pam-modules-32bit
fi

if [ "$THIS_PLATFORM" == "i586" ]; then 
    zypper -n install -l  pam-devel pam pam-modules
fi

snapper create -t post --description "Post: Standard Packages Install ($SNAPPER_N1)" --pre-number $SNAPPER_N1

SNAPPER_N2=`snapper create -t pre --description "Pre: Custom Packages Install" -p`

# install suphp

rpm -i $SUPHP_RPM

# install pam_mysql

cd /tmp
wget -c $PAM_MYSQL_TARGZ
tar xvfz pam_mysql-*.tar.gz
rm -rf pam_mysql-*.tar.gz
cd pam_mysql-*
./configure
make
make install
cd /tmp
rm -rf /tmp/pam_mysql-*

# fix the library path for pam_mysql
test -d /lib64 && cp /lib/security/pam_mysql* /lib64/security

# VLOGGER, WEBALIZER

cd /tmp
wget -c $VLOGGER_TARGZ
tar xvfz vlogger-*.tar.gz
rm -f vlogger-*.tar.gz
mv vlogger-*/vlogger /usr/sbin/
rm -rf vlogger*

# Jailkit

cd /tmp
wget -c $JAILKIT_TARGZ
tar xvfz jailkit-*.tar.gz
rm -f jailkit-*.tar.gz
cd jailkit-*
./configure
make
make install
cd /tmp
rm -rf jailkit-*

# rdiff-backup

cd tmp
wget -c $RDIFF_BACKUP_TARGZ
tar xfz rdiff-backup-*.tar.gz
rm -f rdiff-backup-*.tar.gz
cd rdiff-backup-*
./setup.py install
cd /tmp
rm -rf rdiff-backup-*

# Install eAccelerator

cd /tmp
wget $EACCELERATOR_TARBZ2
tar xvfj eaccelerator-*.bz2
rm -rf eaccelerator-*.bz2
cd eaccelerator-*
phpize
# the flag is specified to prevent openbasedir limitations with ispconfig
./configure --without-eaccelerator-use-inode 
make
make install

cd ..
rm -rf eaccelerator-*

cat > /etc/php5/conf.d/eaccelerator.ini <<EOFMARKER4
extension="eaccelerator.so"
eaccelerator.shm_size="16"
eaccelerator.cache_dir="/var/cache/eaccelerator"
eaccelerator.enable="1"
eaccelerator.optimizer="1"
eaccelerator.check_mtime="1"
eaccelerator.debug="0"
eaccelerator.filter=""
eaccelerator.shm_max="0"
eaccelerator.shm_ttl="0"
eaccelerator.shm_prune_period="0"
eaccelerator.shm_only="0"
eaccelerator.compress="1"
eaccelerator.compress_level="9"
EOFMARKER4

mkdir -p /var/cache/eaccelerator
chmod 0777 /var/cache/eaccelerator

# Install AWSTATS

rpm -ivh $AWSTATS_RPM

chmod og+w /var/cache/awstats

cp /etc/awstats/awstats.web.conf /etc/awstats/awstats.conf
sed -i 's,^<IfDefine,#<IfDefine,'  /etc/apache2/conf.d/awstats.conf
sed -i 's,^</IfDefine,#</IfDefine,'  /etc/apache2/conf.d/awstats.conf

snapper create -t post --description "Post: Custom Packages Install ($SNAPPER_N2)" --pre-number $SNAPPER_N2

SNAPPER_N3=`snapper create -t pre --description "Pre: Patch system configuration" -p`


# Console codepage (to make putty output fine)
sed -i 's/\"en_US\.UTF-8/\"en_US\.ISO-8859-1/g' /etc/sysconfig/language

# Host name

echo $MY_FULLHOSTNAME > /etc/HOSTNAME
echo 127.0.0.2 $MY_FULLHOSTNAME $MY_HOSTNAME >> /etc/hosts

export HOST=$MY_FULLHOSTNAME
export HOSTNAME=$MY_FULLHOSTNAME


# Quota
touch /aquota.user /aquota.group
chmod 600 /aquota.*
touch /srv/aquota.user /srv/aquota.group
chmod 600 /srv/aquota.*

# TODO: change fstab here
# Ignore errors from the below commands

mount -o remount /
mount -o remount /srv
mount -o remount /home

quotacheck -avugm
quotaon -avug

# Fix getmail user to allow running from cron

sed -i 's/getmail:[!]:/getmail:*:/' /etc/shadow

# Set suexec2 permissions

chown root:www /usr/sbin/suexec2
chmod 4755 /usr/sbin/suexec2

# Allow ports through firewall

SuSEfirewall2 open EXT TCP 21 22 80 8080 25 143 465 585 993 30000:30500
SuSEfirewall2

SuSEconfig

snapper create -t post --description "Post: Patch system configuration ($SNAPPER_N3)" --pre-number $SNAPPER_N3


SNAPPER_N4=`snapper create -t pre --description "Pre: Patch software configuration" -p`

sed -i 's/\$mydomain = '\''example.com'\'';/\$mydomain='\'$MY_DOMAIN\'';\n\$myhostname='\'$MY_FULLHOSTNAME\'';/g' /etc/amavisd.conf
sed -i 's/x\-httpd\-php\=\"php\:\/usr\/bin\/php\-cgi5\"/x-httpd-php="php:\/usr\/bin\/php-cgi5"\nx-httpd-suphp="php:\/usr\/bin\/php-cgi5"/g' /etc/suphp.conf

a2enmod suexec
a2enmod deflate
a2enmod rewrite
a2enmod ssl
a2enmod actions
a2enmod suphp
a2enmod fcgid
a2enmod logio

# Fail2ban config
# TODO: patch fail2ban to include delays into iptables script,
# as otherwise it frequently fails

cat > /etc/fail2ban/filter.d/dovecot-pop3imap.conf <<EOFMARKER4
[Definition]
failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
ignoreregex =
EOFMARKER4


cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.def
cat > /etc/fail2ban/jail.conf <<EOFMARKER3
# Fail2Ban configuration file

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
#          is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto:    will choose Gamin if available and polling otherwise.
backend = auto


# This jail corresponds to the standard configuration in Fail2ban 0.6.
# The mail-whois action send a notification e-mail with a whois request
# in the body.

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
logpath  = /var/log/messages
maxretry = 5

[ssh-ddos-iptables]

enabled  = true
filter   = sshd-ddos
action   = iptables[name=SSH, port=ssh, protocol=tcp]
logpath  = /var/log/messages
maxretry = 5


[proftpd-iptables]

enabled  = true
filter   = proftpd
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
logpath  = /var/log/messages
maxretry = 6

[pure-ftpd-iptables]

enabled  = true
filter   = pure-ftpd
action   = iptables[name=PureFTPD, port=ftp, protocol=tcp]
logpath  = /var/log/messages
maxretry = 6

[courier-imap-iptables]

enabled  = true
filter   = courierlogin
action   = iptables[name=CourierIMAP, port=ftp, protocol=tcp]
logpath  = /var/log/messages
maxretry = 6

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap,pop3s,imaps", protocol=tcp]
logpath = /var/log/mail
maxretry = 6


# This jail forces the backend to "polling".

[sasl-iptables]

enabled  = true
filter   = sasl
backend  = polling
action   = iptables[name=sasl, port=smtp, protocol=tcp]
logpath  = /var/log/mail

# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
# used to avoid banning the user "myuser".

[ssh-tcpwrapper]

enabled     = true
filter      = sshd
action      = hostsdeny
ignoreregex = for myuser from
logpath     = /var/log/messages

[ssh-ddos-tcpwrapper]

enabled     = true
filter      = sshd-ddos
action      = hostsdeny
ignoreregex = for myuser from
logpath     = /var/log/messages


# This jail demonstrates the use of wildcards in "logpath".
# Moreover, it is possible to give other files on a new line.

[apache-tcpwrapper]

enabled  = true
filter	 = apache-auth
action   = hostsdeny
logpath  = /var/log/apache2/error_log
maxretry = 6

# The hosts.deny path can be defined with the "file" argument if it is
# not in /etc.

[postfix-tcpwrapper]

enabled  = true
filter   = postfix
action   = hostsdeny
logpath  = /var/log/mail
bantime  = 300

# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.

[apache-badbots]

enabled  = true
filter   = apache-badbots
action   = iptables[name=BadBots1, port=http,  protocol=tcp]
           iptables[name=BadBots2, port=https, protocol=tcp]
logpath  = /var/log/apache2/access_log
bantime  = 172800
maxretry = 1

[php-url-fopen]

enabled = false
port    = http,https
filter  = php-url-fopen
logpath = /var/log/apache2/access_log
maxretry = 1

EOFMARKER3

# Ensure fail2ban recreates a socket file
# Because otherwise after a server crash, fail2ban won't restart

sed -i 's/-q start/-x -q start/' /etc/init.d/fail2ban

# Fix pure-ftpd regexp

sed -i 's/[)][?]: [(][.][+][?]@<HOST>[)] \\\[/)\?: \\(.+?@<HOST>\\) \\[/' /etc/fail2ban/filter.d/pure-ftpd.conf

#sed -i 's,^#LoadPlugin=\"geoipfree\",LoadPlugin=\"geoipfree\",' /etc/awstats/awstats.conf
sed -i 's,^Max\([^=]*\)= 10$,Max\1= 25,' /etc/awstats/awstats.conf
sed -i 's,^StyleSheet=\"[^\"]*\",StyleSheet=\"\",' /etc/awstats/awstats.conf
sed -i 's,^LogFormat=.*,LogFormat = "%host %other %logname %time1 %methodurl %code %other %refererquot %uaquot %other %bytesd",' /etc/awstats/awstats.conf

# adjust postfix interfaces

sed -i 's/^inet_interfaces = localhost/inet_interfaces = all/g' /etc/postfix/main.cf
sed -i 's/^#tlsmgr/tlsmgr/g' /etc/postfix/master.cf
sed -i 's/^#smtps/465/g' /etc/postfix/master.cf

# Fix squirrelmail

sed -i 's/^\$default_folder_prefix.*/$default_folder_prefix = '\'\'';/' /srv/www/htdocs/squirrelmail/config/config.php

# Patch Dovecot license generation

cd /usr/share/doc/packages/dovecot

cat >./mkcert.sh <<EOFMARKER5
#!/bin/sh

# Generates a self-signed certificate.
# Edit dovecot-openssl.cnf before running this.

OPENSSL=\${OPENSSL-openssl}
SSLDIR=\${SSLDIR-/etc/ssl}
OPENSSLCONFIG=\${OPENSSLCONFIG-dovecot-openssl.cnf}

CERTDIR=\$SSLDIR/certs
KEYDIR=\$SSLDIR/private

CERTFILE=\$CERTDIR/dovecot.pem
KEYFILE=\$KEYDIR/dovecot.pem

if [ ! -d \$CERTDIR ]; then
  echo "\$SSLDIR/certs directory doesn't exist"
  exit 1
fi

if [ ! -d \$KEYDIR ]; then
  echo "\$SSLDIR/private directory doesn't exist"
  exit 1
fi

if [ -f \$CERTFILE ]; then
  echo "\$CERTFILE already exists, won't overwrite"
  exit 1
fi

if [ -f \$KEYFILE ]; then
  echo "\$KEYFILE already exists, won't overwrite"
  exit 1
fi

\$OPENSSL req -new -x509 -nodes -config \$OPENSSLCONFIG -out \$CERTFILE -keyout \$KEYFILE -days 3650 || exit 2
chmod 0600 \$KEYFILE
echo 
\$OPENSSL x509 -subject -fingerprint -noout -in \$CERTFILE || exit 2

EOFMARKER5

cat >./dovecot-openssl.cnf <<EOFMARKER6
[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
# country (2 letter code)
#C=FI

# State or Province Name (full name)
#ST=

# Locality Name (eg. city)
#L=Helsinki

# Organization (eg. company)
#O=Dovecot

# Organizational Unit Name (eg. section)
OU=IMAP server

# Common Name (*.example.com is also possible)
CN=$MY_FULLHOSTNAME

# E-mail contact
emailAddress=postmaster@example.com

[ cert_type ]
nsCertType = server

EOFMARKER6

cd /

# TODO: add this script to cron
cat >/usr/bin/dovecot-check.sh <<EOFMARKER7
#!/bin/sh
if (/usr/bin/lsof -Pni :143 | grep "143 (LISTEN)" 2>&1 >/dev/null); then
    echo >/dev/null
else
    /etc/init.d/dovecot restart
fi
EOFMARKER7


snapper create -t post --description "Post: Patch software configuration ($SNAPPER_N4)" --pre-number $SNAPPER_N4


SNAPPER_N5=`snapper create -t pre --description "Pre: Update data" -p`

geoip-fetch
sa-update
freshclam

snapper create -t post --description "Post: Update data ($SNAPPER_N5)" --pre-number $SNAPPER_N5


SNAPPER_N51=`snapper create -t pre --description "Pre: Generating certificates" -p`

# Generate certificates

# Apache certificate
openssl genrsa -passout pass:0passphrase$MYSQLROOTPASS -des3 -out /etc/apache2/ssl.key/server.key 4096
(echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;) | openssl req -passin pass:0passphrase$MYSQLROOTPASS -new -key /etc/apache2/ssl.key/server.key -out /etc/apache2/ssl.csr/server.csr
openssl x509 -passin pass:0passphrase$MYSQLROOTPASS -req -days 3650 -in /etc/apache2/ssl.csr/server.csr -signkey /etc/apache2/ssl.key/server.key -out /etc/apache2/ssl.crt/server.crt
openssl rsa -passin pass:0passphrase$MYSQLROOTPASS -in /etc/apache2/ssl.key/server.key -out /etc/apache2/ssl.key/server.key.insecure
mv /etc/apache2/ssl.key/server.key /etc/apache2/ssl.key/server.key.secure
mv /etc/apache2/ssl.key/server.key.insecure /etc/apache2/ssl.key/server.key

# postfix certificat moved below after ISPconfig installation

# dovecot certificate

cd /usr/share/doc/packages/dovecot
sh ./mkcert.sh
cd /

snapper create -t post --description "Post: Generating certificates ($SNAPPER_N51)" --pre-number $SNAPPER_N51

SNAPPER_N6=`snapper create -t pre --description "Pre: Configure services" -p`

systemctl stop xdm.service

# Switch off X login (check!)
systemctl disable xdm.service

systemctl enable mysql.service
systemctl enable postfix.service
systemctl enable dovecot.service
systemctl enable named.service
systemctl enable amavis.service
systemctl enable clamd.service
systemctl enable apache2.service
systemctl enable pure-ftpd.service
systemctl enable fail2ban.service
systemctl enable ntp.service
                            
systemctl start mysql.service
systemctl start postfix.service
systemctl start dovecot.service
systemctl start named.service
systemctl start amavis.service
systemctl start clamd.service
systemctl start apache2.service
systemctl start pure-ftpd.service
systemctl start ntp.service

SuSEconfig

# mysql_secure_installation

MYSQLSECINST=/tmp/mysql_secure_i2.sh
cat /usr/bin/mysql_secure_installation > $MYSQLSECINST
sed -i "s,read reply,reply=\"\",g" $MYSQLSECINST
sed -i "s,read password1,password1=\"$MYSQLROOTPASS\",g" $MYSQLSECINST
sed -i "s,read password2,password2=\"$MYSQLROOTPASS\",g" $MYSQLSECINST
sed -i "s,read password,password=\"\",g" $MYSQLSECINST
sh $MYSQLSECINST
rm -rf $MYSQLSECINST

snapper create -t post --description "Post: Configure services ($SNAPPER_N6)" --pre-number $SNAPPER_N6

# ============================
# Helper functions

function fix_pureftpd() {

sed -i 's/NoRename.*yes/NoRename no/g' "$1"
sed -i 's/AutoRename.*yes/AutoRename no/g' "$1"
sed -i 's/ProhibitDotFilesWrite.*yes/ProhibitDotFilesWrite no/g' "$1"
sed -i 's/# PassivePortRange.*30000 50000/PassivePortRange 30000 30500/g' "$1"
sed -i 's/LimitRecursion.*2000 8/LimitRecursion 20000 10/g' "$1"
sed -i 's/^Umask\ *.*$/Umask 137:027/' "$1"
sed -i 's/^MaxClientsNumber\ *10$/MaxClientsNumber 256/' "$1"
sed -i 's/^MaxClientsPerIP\ *3$/MaxClientsPerIP 16/' "$1"

}

function fix_dovecot12() {

sed -i 's/^#listen =.*/listen = \*/g' "$1"
sed -i 's/^ssl = no/ssl = yes/g' "$1"
sed -i 's,#ssl_cert_file = .*,ssl_cert_file = /etc/ssl/certs/dovecot.pem,g' "$1"
sed -i 's,#ssl_key_file = .*,ssl_key_file = /etc/ssl/private/dovecot.pem,g' "$1"
sed -i 's,#mail_max_userip_connections = .*,mail_max_userip_connections = 32,g' "$1"
sed -i 's/#namespace private/namespace private {\n    separator = .\n    prefix =\n    inbox = yes\n}\n\nnamespace private {\n    separator = .\n    prefix = INBOX.\n    inbox = no\n    hidden = yes\n    list = no   # for v1.1+\n}\n\n# {changed} namespace private/g'  "$1"

}

function fix_dovecot20() {

sed -i 's/^[#]\?disable_plaintext_auth[ ]\?=.*$/disable_plaintext_auth = no/g' /etc/dovecot/conf.d/10-auth.conf
sed -i 's/^auth_mechanisms[ ]\?=.*$/auth_mechanisms = plain login/g' /etc/dovecot/conf.d/10-auth.conf
sed -i 's/^#!include auth-sql\.conf\.ext.*$/!include auth-sql.conf.ext/g' /etc/dovecot/conf.d/10-auth.conf

sed -i 's/^[#]\?log_timestamp[ ]\?=.*$/log_timestamp = "%Y-%m-%d %H:%M:%S "/g' /etc/dovecot/conf.d/10-logging.conf

sed -i 's,^#mail_location[ ]\?=.*$,mail_location = maildir:/var/vmail/%d/%n/Maildir\n\nnamespace {\n    type = private\n    inbox = yes\n    location =\n    prefix =\n    separator = .\n}\n\nnamespace {\n    type = private\n    separator = .\n    prefix = INBOX.\n    inbox = no\n    hidden = yes\n    list = no\n}\n\n,g' /etc/dovecot/conf.d/10-mail.conf

sed -i 's,^[#]\?first_valid_uid[ ]\?=.*$,first_valid_uid = 5000,g' /etc/dovecot/conf.d/10-mail.conf
sed -i 's,^[#]\?last_valid_uid[ ]\?=.*$,last_valid_uid = 5000,g' /etc/dovecot/conf.d/10-mail.conf
sed -i 's,^[#]\?first_valid_gid[ ]\?=.*$,first_valid_gid = 5000,g' /etc/dovecot/conf.d/10-mail.conf
sed -i 's,^[#]\?last_valid_gid[ ]\?=.*$,last_valid_gid = 5000,g' /etc/dovecot/conf.d/10-mail.conf

sed -i 's,^[#]\?mail_uid[ ]\?=.*$,mail_uid = 5000,g' /etc/dovecot/conf.d/10-mail.conf
sed -i 's,^[#]\?mail_gid[ ]\?=.*$,mail_gid = 5000,g' /etc/dovecot/conf.d/10-mail.conf


sed -i 's,^[#]\?auth_socket_path[ ]\?=.*$,auth_socket_path = /var/run/dovecot/auth-master,g' /etc/dovecot/conf.d/10-mail.conf

sed -i 's,^[ ]*#user = \$default_internal_user$,  user = root,g' /etc/dovecot/conf.d/10-master.conf

perl -i -p -e 's,\n,__NL__,g' /etc/dovecot/conf.d/10-master.conf
sed -i 's,__NL__service imap [{]__NL__[ ]*#,\nservice imap {\n  executable = /usr/lib/dovecot/rawlog /usr/lib/dovecot/imap\n  #,g' /etc/dovecot/conf.d/10-master.conf 
sed -i 's,__NL__service pop3 [{]__NL__[ ]*#,\nservice pop3 {\n  executable = /usr/lib/dovecot/rawlog /usr/lib/dovecot/pop3\n  #,g' /etc/dovecot/conf.d/10-master.conf
sed -i 's,#unix_listener /var/spool/postfix.*#},unix_listener /var/spool/postfix/private/auth {\n    mode = 0660\n    user = postfix\n    group = postfix\n  }\n  unix_listener auth-master {\n    mode = 0600\n    user = vmail\n  }\n,g' /etc/dovecot/conf.d/10-master.conf
sed -i 's,__NL__,\n,g' /etc/dovecot/conf.d/10-master.conf


sed -i 's,^[#]\?ssl[ ]\?=.*$,ssl = yes,g' /etc/dovecot/conf.d/10-ssl.conf
sed -i 's,^[#]\?ssl_cert[ ]\?=.*$,ssl_cert = </etc/ssl/certs/dovecot.pem,g' /etc/dovecot/conf.d/10-ssl.conf
sed -i 's,^[#]\?ssl_key[ ]\?=.*$,ssl_key = </etc/ssl/private/dovecot.pem,g' /etc/dovecot/conf.d/10-ssl.conf

sed -i 's,^[#]\?postmaster_address[ ]\?=.*$,postmaster_address = postmaster@example.com,g' /etc/dovecot/conf.d/15-lda.conf
sed -i 's,^[ ]*[#]\?mail_plugins[ ]\?=.*$,  mail_plugins = sieve quota,g' /etc/dovecot/conf.d/15-lda.conf

sed -i 's,^[ ]*[#]\?mail_max_userip_connections[ ]\?=.*$,  mail_max_userip_connections = 32,g' /etc/dovecot/conf.d/20-imap.conf
sed -i 's,^[ ]*[#]\?mail_plugins[ ]\?=.*$,  mail_plugins = quota imap_quota,g' /etc/dovecot/conf.d/20-imap.conf

sed -i 's,^[ ]*[#]\?mail_max_userip_connections[ ]\?=.*$,  mail_max_userip_connections = 32,g' /etc/dovecot/conf.d/20-pop3.conf
sed -i 's,^[ ]*[#]\?mail_plugins[ ]\?=.*$,  mail_plugins = quota,g' /etc/dovecot/conf.d/20-pop3.conf
sed -i 's,^[ ]*[#]\?pop3_uidl_format[ ]\?=.*$,  pop3_uidl_format = %08Xu%08Xv,g' /etc/dovecot/conf.d/20-pop3.conf

sed -i 's,^[ ]*[#]\?quota[ ]\?=[ ]\?maildir:.*$,  quota = maildir:User quota,g' /etc/dovecot/conf.d/90-quota.conf

sed -i 's,^[ ]*[#]\?args[ ]\?= /etc/dovecot/dovecot-sql\.conf\.ext.*$,  args = /etc/dovecot/dovecot-sql.conf,g' /etc/dovecot/conf.d/auth-sql.conf.ext

sed -i 's,^[#]\?protocols[ ]\?=.*$,protocols = imap pop3,g' /etc/dovecot/dovecot.conf
sed -i 's/^[#]\?listen[ ]\?=.*$/listen = *, ::/g' /etc/dovecot/dovecot.conf

sed -i 's/^[#]\?shutdown_clients[ ]\?=.*$/shutdown_clients = yes/g' /etc/dovecot/dovecot.conf

}

function fix_customlog() {

sed -i 's/ent}i\\\"\" combined_ispconfig/ent}i\\\" %I %O" combined_ispconfig/g' "$1"
sed -i 's/LogFormat \"%v %h/LogFormat \"%v %a/g' "$1"

}

function fix_ispconfig() {

    fix_dovecot20 
    cp /etc/dovecot/dovecot.conf "$1/install/tpl/opensuse_dovecot.conf.master"
    fix_pureftpd "$1/install/tpl/opensuse_pureftpd_conf.master"

    fix_customlog "$1/server/conf/apache_ispconfig.conf.master"
    fix_customlog "$1/install/tpl/apache_ispconfig.conf.master"
    fix_customlog "$1/install/dist/tpl/gentoo/apache_ispconfig.conf.master"


    sed -i 's,^awstats_data_dir=.*$,awstats_data_dir=/var/cache/awstats,' "$1/install/tpl/server.ini.master"
    sed -i 's,^awstats_pl=.*$,awstats_pl=/srv/www/cgi-bin/awstats.pl,' "$1/install/tpl/server.ini.master"
    sed -i 's,^awstats_buildstaticpages_pl=.*$,awstats_buildstaticpages_pl=/usr/share/doc/packages/awstats/examples/awstats_buildstaticpages.pl,' "$1/install/tpl/server.ini.master"

}

# ============================

# Install ISPCONFIG

SNAPPER_N7=`snapper create -t pre --description "Pre: ISPConfig Install" -p`

# Fix dovecot config

fix_dovecot20

cd /tmp
wget -c $ISPCONFIG_TAR_GZ
tar xvfz ISPConfig-*.tar.gz

fix_ispconfig /tmp/ispconfig3_install

cd ispconfig3_install/install/

(echo; echo; echo $MY_FULLHOSTNAME; echo; echo; echo $MYSQLROOTPASS; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; ) | php -q install.php


cd /tmp
rm -rf /tmp/ispconfig3_install
rm -f /tmp/ISPConfig-*.tar.gz

# fix postfix certificate (now that smtpd.key is created)

(echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;) | openssl req -new -key /etc/postfix/smtpd.key -out /etc/postfix/smtpd.csr
openssl x509 -req -days 3650 -in /etc/postfix/smtpd.csr -signkey /etc/postfix/smtpd.key -out /etc/postfix/smtpd.cert

chmod o-rwx /etc/postfix/smtpd.csr
chmod o-rwx /etc/postfix/smtpd.cert


# Squirrelmail, PHPMyAdmin symlinks 

ln -s /srv/www/htdocs/squirrelmail /usr/local/ispconfig/interface/web/webmail
ln -s /srv/www/htdocs/phpMyAdmin /usr/local/ispconfig/interface/web/phpmyadmin


snapper create -t post --description "Post: ISPConfig Install ($SNAPPER_N7)" --pre-number $SNAPPER_N7

# Reconfigure Apache

SNAPPER_N8=`snapper create -t pre --description "Pre: Reconfigure Apache" -p`

sed -i 's/.VirtualHost _default_\:8080./\<VirtualHost _default_\:8080\>\nSSLEngine On\nSSLCertificateFile \/etc\/apache2\/ssl.crt\/server.crt\nSSLCertificateKeyFile \/etc\/apache2\/ssl.key\/server.key/g' /etc/apache2/sites-available/ispconfig.vhost
sed -i 's/DirectoryIndex index.html index.html.var/DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php5 index.php4 index.php3 index.pl index.html.var index.aspx default.aspx/g' /etc/apache2/httpd.conf

# enable named hosts
sed -i 's/^#NameVirtualHost \*\:80$/NameVirtualHost *:80/g' /etc/apache2/listen.conf

sed -i 's,^Alias /error/,#Alias /error/,' /etc/apache2/errors.conf

sed -i 's/max_execution_time = 30/max_execution_time = 120/' /etc/php5/apache2/php.ini
sed -i 's/max_execution_time = 30/max_execution_time = 120/' /etc/php5/cli/php.ini
sed -i 's/max_execution_time = 30/max_execution_time = 120/' /etc/php5/fastcgi/php.ini

sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 32M/' /etc/php5/apache2/php.ini
sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 32M/' /etc/php5/cli/php.ini
sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 32M/' /etc/php5/fastcgi/php.ini

sed -i 's/post_max_size = 8M/post_max_size = 32M/' /etc/php5/apache2/php.ini
sed -i 's/post_max_size = 8M/post_max_size = 32M/' /etc/php5/cli/php.ini
sed -i 's/post_max_size = 8M/post_max_size = 32M/' /etc/php5/fastcgi/php.ini

sed -i 's/^error_reporting = .*/error_reporting = E_ALL \& ~E_DEPRECATED \& ~E_NOTICE/' /etc/php5/apache2/php.ini
sed -i 's/^error_reporting = .*/error_reporting = E_ALL \& ~E_DEPRECATED \& ~E_NOTICE/' /etc/php5/cli/php.ini
sed -i 's/^error_reporting = .*/error_reporting = E_ALL \& ~E_DEPRECATED \& ~E_NOTICE/' /etc/php5/fastcgi/php.ini

systemctl restart apache2.service

snapper create -t post --description "Post: Reconfigure Apache ($SNAPPER_N8)" --pre-number $SNAPPER_N8

# create backup script
SNAPPER_N9=`snapper create -t pre --description "Pre: Creating backup scripts" -p`

mkdir /backup
chown root:root /backup

mkdir /srvbackup_do
chown root:root /srvbackup_do
chmod og-rwx /srvbackup_do

cat > /srvbackup_do/dobackup.sh <<EOFMARKER2
#!/bin/bash

cd /srvbackup_do
sync
mysqladmin -p$MYSQLROOTPASS refresh
mysqlcheck -p$MYSQLROOTPASS -A --auto-repair

# backup into a single file
# mysqldump -p$MYSQLROOTPASS --all-databases >mysqldump.sql
# chmod og-rw mysqldump.sql

# backup into multiple files
rm -rf mysql
mkdir mysql
chown root:root mysql
chmod og-rwx mysql

for i in /var/lib/mysql/*/; do
    dbname=\`basename \$i\`

    echo >mysql/\$dbname.sql
    chown root:root mysql/\$dbname.sql
    chmod og-rwx mysql/\$dbname.sql

    mysqldump -p$MYSQLROOTPASS \$dbname >mysql/\$dbname.sql
    chown root:root mysql/\$dbname.sql
    chmod og-rwx mysql/\$dbname.sql
done

/usr/local/bin/rdiff-backup --preserve-numerical-ids --exclude /tmp --exclude /backup --exclude /mnt --exclude /proc --exclude /dev --exclude /sys --exclude /var/lib/ntp/proc --exclude /media --exclude /.snapshots --exclude /var/tmp --exclude /var/lib/named --exclude /var/run --exclude /var/lock --exclude --exclude /var/lib/nfs/rpc_pipefs / /backup/$MY_FULLHOSTNAME

#/usr/local/bin/duplicity \\
#--include /etc \\
#--include /srv \\
#--include /srvbackup_do \\
#--include /var/vmail \\
#--include /var/lib/mysql \\
#--include /var/log \\
#--include /usr/local \\
#--include /var/spool/amavis \\
#--include /var/spool/cron \\
#--include /home \\
#--exclude '**' \\
#--no-encryption \\
#--ssh-options="-oProtocol=2 -oIdentityFile=/etc/ssh/ssh_host_dsa_key" \\
#/ scp://user@backuphost/my.server.com


EOFMARKER2

chown root:root /srvbackup_do/dobackup.sh
chmod og-rwx /srvbackup_do/dobackup.sh
chmod u+x /srvbackup_do/dobackup.sh

echo '51 3 * * * /srvbackup_do/dobackup.sh >> /var/log/backuplog 2>&1' >>/var/spool/cron/tabs/root

snapper create -t post --description "Post: Creating backup scripts ($SNAPPER_N9)" --pre-number $SNAPPER_N9


SNAPPER_N10=`snapper create -t pre --description "Pre: Remaining steps" -p`

systemctl restart postfix.service
systemctl restart fail2ban.service
systemctl restart mysql.service

mysqladmin -p$MYSQLROOTPASS refresh

# Old code for fixing awstats path directly in the database
# Now it's fixed in server.ini.master before the installation of ISPConfig
#
#mysqldump -u root -p$MYSQLROOTPASS dbispconfig server >/tmp/server.sql
#sed -i 's,\\nawstats_data_dir=[^\\]*\\n,\\nawstats_data_dir=/var/cache/awstats\\n,' /tmp/server.sql
#sed -i 's,\\nawstats_pl=[^\\]*\\n,\\nawstats_pl=/srv/www/cgi-bin/awstats.pl\\n,' /tmp/server.sql
#sed -i 's,\\nawstats_buildstaticpages_pl=[^\\]*\\n,\\nawstats_buildstaticpages_pl=/usr/share/doc/packages/awstats/examples/awstats_buildstaticpages.pl\\n,' /tmp/server.sql
#mysql -u root -p$MYSQLROOTPASS dbispconfig </tmp/server.sql
#rm -rf /tmp/server.sql


# ==============

if [ "$ISPCONFIG_SVN" == "yes" ]; then
# Update ISPConfig from SVN

    cd /tmp
    svn export svn://svn.ispconfig.org/ispconfig3/trunk/ ispconfigsvn

    fix_ispconfig /tmp/ispconfigsvn

    # Run update
    php -q update.php
    cd /tmp
    rm -rf /tmp/ispconfigsvn

fi


# =========================================================================
# Fix configuration files, overwritten by ISPConfig update
# Re-run these lines after ISP-Config update

# Pure-ftpd

fix_pureftpd /etc/pure-ftpd/pure-ftpd.conf

systemctl restart pure-ftpd.service
systemctl restart dovecot.service
systemctl restart postfix.service

# CustomLog

fix_customlog /etc/apache2/sites-available/ispconfig.conf
fix_customlog /usr/local/ispconfig/server/conf/apache_ispconfig.conf.master

# TODO: install all dependencies of GeoIP and enable GeoIP inside awstats

systemctl restart apache2.service

snapper create -t post --description "Post: Remaining steps ($SNAPPER_N10)" --pre-number $SNAPPER_N10