Turnkey Moodle 5 18.1 RC2

README.rst

@@ -1,4 +1,4 @@
-Moodle - Course Management System
+Moodle 5.x - Course Management System
 =================================
 
 `Moodle`_ is a popular e-learning software platform, also known as a

changelog

@@ -1,3 +1,11 @@
+turnkey-moodle5-18.1 (1) turnkey; urgency=low
+
+  * Install latest upstream version of Moodle 5.x: Version 5.1.3+ (Build: 20260217)
+   (as of today, 18/02/2026: download via git branch MOODLE_501_STABLE).
+
+  * Set correct permissions and creating (eventually) missing folders.
+
+
 turnkey-moodle-18.0 (1) turnkey; urgency=low
 
   * Install latest upstream version of Moodle: 4.3.0+ (as of today,

conf.d/main

@@ -1,8 +1,23 @@
 #!/bin/bash -ex
 
+# REFERENCE: https://docs.moodle.org/501/en/Git_for_Administrators
+
+# As of today 18/02/2026, use "MOODLE_405_STABLE" branch as the latest stable release of Moodle is 4.5.2
+# or "MOODLE_501_STABLE" as the latest stable release of Moodle is 5.0.4.
+
+MOODLE_BRANCH="MOODLE_501_STABLE"
+
+# Determine Moodle version from branch
+if [[ "$MOODLE_BRANCH" == *"MOODLE_4"* ]]; then
+    MOODLE_VERSION="4"
+elif [[ "$MOODLE_BRANCH" == *"MOODLE_5"* ]]; then
+    MOODLE_VERSION="5"
+else
+    MOODLE_VERSION="4"
+fi
+
 WEBROOT=/var/www/moodle
-DATAROOT=/var/www/moodledata
-MOOSHROOT=/var/www/moosh
+DATAROOT=/var/moodledata
 
 DB_NAME=moodle
 DB_USER=moodle
@@ -34,26 +49,16 @@ a2enmod headers
 sed -Ei "/max_input_vars/ s|^;?(max_input_vars =).*|\1 5000|" /etc/php/8.2/apache2/php.ini
 sed -Ei "/max_input_vars/ s|^;?(max_input_vars =).*|\1 5000|" /etc/php/8.2/cli/php.ini
 
-cd $(dirname $MOOSHROOT)
-git clone https://github.com/tmuras/moosh.git
-cd $MOOSHROOT
-chown -R www-data:www-data $MOOSHROOT
-if [[ -n "$GITHUB_USER_TOKEN" ]]; then
-    turnkey-composer config github-oauth.github.com $GITHUB_USER_TOKEN
-else
-    echo "WARNING: GITHUB_USER_TOKEN not set, build may fail" >&2
-fi
-turnkey-composer install
-ln -s $MOOSHROOT/moosh.php /usr/local/bin/moosh
+# download latest moodle with git
+git clone git://git.moodle.org/moodle.git $WEBROOT
+cd $WEBROOT
+git branch --track $MOODLE_BRANCH origin/$MOODLE_BRANCH
+git checkout $MOODLE_BRANCH
 
-# download latest moodle with moosh, then unpack
-cd $(dirname $WEBROOT)
-moosh download-moodle
-tar -C $(dirname $WEBROOT) -zxf moodle-*.tgz
-rm -f moodle-*.tgz
-chown -R root:root $WEBROOT
+# create the data folder to ser permissions
+mkdir $DATAROOT
 
-cd $WEBROOT
+# CLI installation of moodle - see https://docs.moodle.org/501/en/Installing_Moodle_using_cli for more info
 php admin/cli/install.php \
     --chmod=750 \
     --lang=en \
@@ -74,9 +79,13 @@ php admin/cli/install.php \
     --non-interactive \
     --agree-license
 
-chown -R www-data:www-data $DATAROOT
-chown -R www-data:www-data /var/www/moodle/theme
-chown root:www-data $WEBROOT/config.php
+# get the latest version of UncleDan's set-moodle-perms script and link it to /usr/local/bin for easy execution (THX https://www.turnkeylinux.org/comment/58945#comment-58945 )
+cd /usr/local/src
+git clone https://github.com/UncleDan/moodle-scripts.git
+ln -s /usr/local/src/moodle-scripts/set-moodle-perms  /usr/local/bin/set-moodle-perms
+
+# set permissions using UncleDan script just in case...
+set-moodle-perms --moodleversion $MOODLE_VERSION --fix
 
 ## tweak config
 
@@ -86,6 +95,17 @@ sed -i "s|\$CFG->wwwroot \(.*\)|\$protocol='http://';\n\$hostname='127.0.0.1';\n
 # prevent setting of executable paths via Admin UI (locks down possible privilege escalation)
 sed -i "/'admin';$/ a \$CFG->preventexecpath = true;" $WEBROOT/config.php
 
+# change document root to /var/www/moodle/public if running Moodle 5.0 (makes this modular)
+if [ "$MOODLE_VERSION" = "5" ]; then
+    echo "Moodle 5 detected. Updating DocumentRoot..."
+    sed -i 's|/var/www/moodle/|/var/www/moodle/public/|g' "/etc/apache2/sites-available/moodle.conf"
+
+    echo "Update complete. Checking syntax..."
+    apachectl configtest
+else
+    echo "Moodle version is $MOODLE_VERSION. No path changes required."
+fi
+
 # set paths to utils
 mysql --defaults-extra-file=/etc/mysql/debian.cnf <<EOF
 USE $DB_NAME;

overlay/etc/apache2/sites-available/moodle.conf

@@ -21,25 +21,22 @@ ErrorDocument 403 /error/index.php?code=404
     ServerAdmin  webmaster@localhost
     DocumentRoot /var/www/moodle/
     RewriteEngine On
-    RewriteRule "(\/vendor\/)" - [F]
-    RewriteRule "(\/node_modules\/)" - [F]
-    RewriteRule "(^|/)\.(?!well-known\/)" - [F]
-    RewriteRule "(composer\.json)" - [F]
-    RewriteRule "(\.lock)" - [F]
-    RewriteRule "(\/environment.xml)" - [F]
-    RewriteRule "(\/install.xml)" - [F]
-    RewriteRule "(\/README)" - [F]
-    RewriteRule "(\/readme)" - [F]
-    RewriteRule "(\/moodle_readme)" - [F]
-    RewriteRule "(\/upgrade\.txt)" - [F]
-    RewriteRule "(phpunit\.xml\.dist)" - [F]
-    RewriteRule "(\/tests\/behat\/)" - [F]
-    RewriteRule "(\/fixtures\/)" - [F]
-    RewriteRule "(\/behat\/)" - [F]
+
+    # --- Expanded Security Rewrite Rules ---
+    # This single rule blocks:
+    # 1. Internal Moodle folders (vendor, node_modules, bin, cache, local)
+    # 2. Testing frameworks (tests, behat, fixtures)
+    # 3. Hidden files (.git, .env, .htaccess, .ssh) except .well-known
+    # 4. Config & Lock files (config.php, composer.json, package.json, *.lock)
+    # 5. Docs & XML (README, upgrade.txt, environment.xml, install.xml, phpunit.xml)
+    # 6. Temp/Backup files (*~, *.swp, *.bak, *.old, *.orig)
+
+    RewriteRule "(\/vendor\/|\/node_modules\/|\/bin\/|\/cache\/|\/local\/|\/tests\/|\/behat\/|\/fixtures\/|(^|/)\.(?!well-known\/)|composer\.(json|lock)|package\.(json|lock)|config\.php|.*\.bak|.*\.old|.*\.orig|environment\.xml|install\.xml|README|readme|moodle_readme|upgrade\.txt|phpunit\.xml\.dist)" - [F,NC]
+
 </VirtualHost>
 
 <Directory /var/www/moodle/>
     Options +FollowSymLinks -Indexes
     AllowOverride All
     Require all granted
-</Directory>
+</Directory>