free
/
freedombone
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
freedombone/src/freedombone-utils-web

1079 lines
47 KiB
Plaintext
Raw Normal View History

Stockholm initial
2016-07-03 17:13:34 +02:00
#!/bin/bash
#
# .---. . .
# | | |
# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
# | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
# ' ' --' --' -' - -' ' ' -' -' -' ' - --'
#
# Freedom in the Cloud
#
# Web related functions
#
# License
# =======
#
Enable letsencrypt Why wasn't that on already?
2017-05-05 20:48:30 +02:00
# Copyright (C) 2014-2017 Bob Mottram <bob@freedombone.net>
Stockholm initial
2016-07-03 17:13:34 +02:00
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# default search engine for command line browser
DEFAULT_SEARCH='https://searx.laquadrature.net'
Reorganize matrix
2017-01-01 21:40:08 +01:00
# onion port for the default domain
DEFAULT_DOMAIN_ONION_PORT=8099
Stockholm initial
2016-07-03 17:13:34 +02:00
# Whether Let's Encrypt is enabled for all sites
Enable letsencrypt Why wasn't that on already?
2017-05-05 20:48:30 +02:00
LETSENCRYPT_ENABLED="yes"
Stockholm initial
2016-07-03 17:13:34 +02:00
LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
# list of encryption protocols
SSL_PROTOCOLS="TLSv1 TLSv1.1 TLSv1.2"
Switch to mozilla recommended ciphers These work better on Android devices
2017-05-05 23:31:24 +02:00
# Mozilla recommended default ciphers. These work better on Android
# See https://wiki.mozilla.org/Security/Server_Side_TLS
SSL_CIPHERS="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
Stockholm initial
2016-07-03 17:13:34 +02:00
Allow some apps to use ciphers better suited for mobile apps
2017-05-10 23:27:52 +02:00
# some mobile apps (eg. NextCloud) have not very good cipher compatibility.
# These ciphers can be used for those cases
SSL_CIPHERS_MOBILE="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA"
Stockholm initial
2016-07-03 17:13:34 +02:00
NGINX_ENSITE_REPO="https://github.com/perusio/nginx_ensite"
NGINX_ENSITE_COMMIT='fa4d72ce1c0a490442c8474e9c8dc21ed52c93d0'
# memory limit for php in MB
MAX_PHP_MEMORY=64
# logging level for Nginx
WEBSERVER_LOG_LEVEL='warn'
# test a domain name to see if it's valid
function validate_domain_name {
Include ocsp stapling
2016-08-08 14:49:19 +02:00
# count the number of dots in the domain name
dots=${TEST_DOMAIN_NAME//[^.]}
no_of_dots=${#dots}
if (( $no_of_dots > 3 )); then
TEST_DOMAIN_NAME=$"The domain $TEST_DOMAIN_NAME has too many subdomains. It should be of the type w.x.y.z, x.y.z or y.z"
fi
if (( $no_of_dots == 0 )); then
TEST_DOMAIN_NAME=$"The domain $TEST_DOMAIN_NAME has no top level domain. It should be of the type w.x.y.z, x.y.z or y.z"
fi
Stockholm initial
2016-07-03 17:13:34 +02:00
}
function nginx_disable_sniffing {
Include ocsp stapling
2016-08-08 14:49:19 +02:00
domain_name=$1
filename=/etc/nginx/sites-available/$domain_name
echo ' add_header X-Frame-Options DENY;' >> $filename
echo ' add_header X-Content-Type-Options nosniff;' >> $filename
echo '' >> $filename
Stockholm initial
2016-07-03 17:13:34 +02:00
}
function nginx_limits {
Include ocsp stapling
2016-08-08 14:49:19 +02:00
domain_name=$1
max_body='20m'
if [ $2 ]; then
max_body=$2
fi
filename=/etc/nginx/sites-available/$domain_name
echo " client_max_body_size ${max_body};" >> $filename
echo ' client_body_buffer_size 128k;' >> $filename
echo '' >> $filename
echo ' limit_conn conn_limit_per_ip 10;' >> $filename
echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> $filename
echo '' >> $filename
}
function nginx_stapling {
domain_name=$1
filename=/etc/nginx/sites-available/$domain_name
echo " ssl_stapling on;" >> $filename
echo ' ssl_stapling_verify on;' >> $filename
echo ' ssl_trusted_certificate /etc/ssl/certs/${domain_name}.pem;' >> $filename
echo '' >> $filename
Stockholm initial
2016-07-03 17:13:34 +02:00
}
function nginx_http_redirect {
Include ocsp stapling
2016-08-08 14:49:19 +02:00
# redirect port 80 to https
domain_name=$1
filename=/etc/nginx/sites-available/$domain_name
echo 'server {' > $filename
echo ' listen 80;' >> $filename
echo ' listen [::]:80;' >> $filename
echo " server_name ${domain_name};" >> $filename
echo " root /var/www/${domain_name}/htdocs;" >> $filename
Turning logs off
2016-11-10 14:26:31 +01:00
echo ' access_log /dev/null;' >> $filename
Web logs off by default
2016-11-18 19:33:08 +01:00
echo " error_log /dev/null;" >> $filename
Include ocsp stapling
2016-08-08 14:49:19 +02:00
function_check nginx_limits
nginx_limits $domain_name
Additional index on http redirect
2017-04-03 21:24:25 +02:00
if [ ${#2} -gt 0 ]; then
echo " $2;" >> $filename
fi
Include ocsp stapling
2016-08-08 14:49:19 +02:00
echo ' rewrite ^ https://$server_name$request_uri? permanent;' >> $filename
echo '}' >> $filename
echo '' >> $filename
Stockholm initial
2016-07-03 17:13:34 +02:00
}
Use compressed responses for gnusocial/postactiv
2017-05-14 11:52:16 +02:00
function nginx_compress {
domain_name=$1
filename=/etc/nginx/sites-available/$domain_name
echo ' gzip on;' >> $filename
echo ' gzip_min_length 1000;' >> $filename
echo ' gzip_proxied expired no-cache no-store private auth;' >> $filename
echo ' gzip_types text/plain application/xml;' >> $filename
}
Stockholm initial
2016-07-03 17:13:34 +02:00
function nginx_ssl {
Include ocsp stapling
2016-08-08 14:49:19 +02:00
# creates the SSL/TLS section for a website
domain_name=$1
Allow some apps to use ciphers better suited for mobile apps
2017-05-10 23:27:52 +02:00
mobile_ciphers=$2
Include ocsp stapling
2016-08-08 14:49:19 +02:00
filename=/etc/nginx/sites-available/$domain_name
Explicitly turn off stapling
2016-10-12 18:56:58 +02:00
echo ' ssl_stapling off;' >> $filename
echo ' ssl_stapling_verify off;' >> $filename
Include ocsp stapling
2016-08-08 14:49:19 +02:00
echo ' ssl on;' >> $filename
use letsencrypt for ssl
2017-03-14 23:26:35 +01:00
echo " ssl_certificate /etc/letsencrypt/live/${domain_name}/fullchain.pem;" >> $filename
echo " ssl_certificate_key /etc/letsencrypt/live/${domain_name}/privkey.pem;" >> $filename
Include ocsp stapling
2016-08-08 14:49:19 +02:00
echo " ssl_dhparam /etc/ssl/certs/${domain_name}.dhparam;" >> $filename
echo '' >> $filename
Add session cache
2016-10-12 19:06:33 +02:00
echo ' ssl_session_cache builtin:1000 shared:SSL:10m;' >> $filename
Include ocsp stapling
2016-08-08 14:49:19 +02:00
echo ' ssl_session_timeout 60m;' >> $filename
echo ' ssl_prefer_server_ciphers on;' >> $filename
echo " ssl_protocols $SSL_PROTOCOLS;" >> $filename
Allow some apps to use ciphers better suited for mobile apps
2017-05-10 23:27:52 +02:00
if [ $mobile_ciphers ]; then
echo " # Mobile compatible ciphers" >> $filename
echo " ssl_ciphers '$SSL_CIPHERS_MOBILE';" >> $filename
else
echo " ssl_ciphers '$SSL_CIPHERS';" >> $filename
fi
When ssl is enabled only allow https content within the site
2016-10-31 11:42:03 +01:00
echo " add_header Content-Security-Policy \"default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'\";" >> $filename
Some additional nginx security settings
2017-05-08 17:43:42 +02:00
echo ' add_header X-XSS-Protection "1; mode=block";' >> $filename
echo ' add_header X-Robots-Tag none;' >> $filename
echo ' add_header X-Download-Options noopen;' >> $filename
echo ' add_header X-Permitted-Cross-Domain-Policies none;' >> $filename
No stapling
2016-10-17 18:57:16 +02:00
#nginx_stapling $1
Stockholm initial
2016-07-03 17:13:34 +02:00
}
# check an individual domain name
function test_domain_name {
Include ocsp stapling
2016-08-08 14:49:19 +02:00
if [ $1 ]; then
TEST_DOMAIN_NAME=$1
Test domain gets modified
2016-12-21 22:55:50 +01:00
if [[ $TEST_DOMAIN_NAME != 'ttrss' ]]; then
function_check validate_domain_name
validate_domain_name
if [[ $TEST_DOMAIN_NAME != $1 ]]; then
echo $"Invalid domain name $TEST_DOMAIN_NAME"
exit 8528
fi
Include ocsp stapling
2016-08-08 14:49:19 +02:00
fi
fi
Stockholm initial
2016-07-03 17:13:34 +02:00
}
# Checks whether certificates were generated for the given hostname
function check_certificates {
Include ocsp stapling
2016-08-08 14:49:19 +02:00
if [ ! $1 ]; then
return
fi
USE_LETSENCRYPT='no'
if [ $2 ]; then
USE_LETSENCRYPT=$2
fi
if [[ $USE_LETSENCRYPT == 'no' ]]; then
Convert between pem and crt if letsencrypt fails
2016-10-20 23:46:51 +02:00
if [ ! -f /etc/ssl/private/${1}.key ]; then
echo $"Private certificate for ${CHECK_HOSTNAME} was not created"
Include ocsp stapling
2016-08-08 14:49:19 +02:00
exit 63959
fi
Convert between pem and crt if letsencrypt fails
2016-10-20 23:46:51 +02:00
if [ ! -f /etc/ssl/certs/${1}.crt ]; then
echo $"Public certificate for ${CHECK_HOSTNAME} was not created"
Include ocsp stapling
2016-08-08 14:49:19 +02:00
exit 7679
fi
Convert between pem and crt if letsencrypt fails
2016-10-20 23:46:51 +02:00
if grep -q "${1}.pem" /etc/nginx/sites-available/${1}; then
sed -i "s|${1}.pem|${1}.crt|g" /etc/nginx/sites-available/${1}
fi
Include ocsp stapling
2016-08-08 14:49:19 +02:00
else
if [ ! -f /etc/letsencrypt/live/${1}/privkey.pem ]; then
Convert between pem and crt if letsencrypt fails
2016-10-20 23:46:51 +02:00
echo $"Private certificate for ${CHECK_HOSTNAME} was not created"
Include ocsp stapling
2016-08-08 14:49:19 +02:00
exit 6282
fi
if [ ! -f /etc/letsencrypt/live/${1}/fullchain.pem ]; then
Convert between pem and crt if letsencrypt fails
2016-10-20 23:46:51 +02:00
echo $"Public certificate for ${CHECK_HOSTNAME} was not created"
Include ocsp stapling
2016-08-08 14:49:19 +02:00
exit 5328
fi
Convert between pem and crt if letsencrypt fails
2016-10-20 23:46:51 +02:00
if grep -q "${1}.crt" /etc/nginx/sites-available/${1}; then
sed -i "s|${1}.crt|${1}.pem|g" /etc/nginx/sites-available/${1}
fi
Include ocsp stapling
2016-08-08 14:49:19 +02:00
fi
Convert between pem and crt if letsencrypt fails
2016-10-20 23:46:51 +02:00
if [ ! -f /etc/ssl/certs/${1}.dhparam ]; then
echo $"DiffieHellman parameters for ${CHECK_HOSTNAME} were not created"
Include ocsp stapling
2016-08-08 14:49:19 +02:00
exit 5989
fi
Stockholm initial
2016-07-03 17:13:34 +02:00
}
Improve letsencrypt certs
2016-10-26 17:10:46 +02:00
function cert_exists {
cert_type='dhparam'
if [ $2 ]; then
cert_type="$2"
fi
if [ -f /etc/ssl/certs/${1}.${cert_type} ]; then
echo "1"
else
Check letsencrypt directory
2016-10-30 20:50:02 +01:00
if [ -f /etc/letsencrypt/live/${1}/fullchain.${cert_type} ]; then
echo "1"
else
echo "0"
fi
Improve letsencrypt certs
2016-10-26 17:10:46 +02:00
fi
}
function create_self_signed_cert {
${PROJECT_NAME}-addcert -h ${SITE_DOMAIN_NAME} --dhkey ${DH_KEYLENGTH}
function_check check_certificates
check_certificates ${SITE_DOMAIN_NAME}
}
function create_letsencrypt_cert {
${PROJECT_NAME}-addcert -e ${SITE_DOMAIN_NAME} -s ${LETSENCRYPT_SERVER} --dhkey ${DH_KEYLENGTH} --email ${MY_EMAIL_ADDRESS}
if [ ! "$?" = "0" ]; then
if [[ ${NO_SELF_SIGNED} == 'no' ]]; then
echo $"Lets Encrypt failed for ${SITE_DOMAIN_NAME}, so try making a self-signed cert"
${PROJECT_NAME}-addcert -h ${SITE_DOMAIN_NAME} --dhkey ${DH_KEYLENGTH}
function_check check_certificates
check_certificates ${SITE_DOMAIN_NAME}
else
echo $"Lets Encrypt failed for $SITE_DOMAIN_NAME"
exit 682529
fi
return
fi
function_check check_certificates
check_certificates ${SITE_DOMAIN_NAME} 'yes'
}
Stockholm initial
2016-07-03 17:13:34 +02:00
function create_site_certificate {
Include ocsp stapling
2016-08-08 14:49:19 +02:00
SITE_DOMAIN_NAME="$1"
# if yes then only "valid" certs are allowed, not self-signed
NO_SELF_SIGNED='no'
if [ $2 ]; then
NO_SELF_SIGNED="$2"
fi
if [[ $ONION_ONLY == "no" ]]; then
quotes
2016-10-30 20:59:40 +01:00
if [[ "$(cert_exists ${SITE_DOMAIN_NAME})" == "0" ]]; then
Include ocsp stapling
2016-08-08 14:49:19 +02:00
if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then
Improve letsencrypt certs
2016-10-26 17:10:46 +02:00
create_self_signed_cert
Include ocsp stapling
2016-08-08 14:49:19 +02:00
else
Improve letsencrypt certs
2016-10-26 17:10:46 +02:00
create_letsencrypt_cert
fi
else
if [[ $LETSENCRYPT_ENABLED == "yes" ]]; then
quotes
2016-10-30 20:59:40 +01:00
if [[ "$(cert_exists ${SITE_DOMAIN_NAME} pem)" == "0" ]]; then
Improve letsencrypt certs
2016-10-26 17:10:46 +02:00
create_letsencrypt_cert
Include ocsp stapling
2016-08-08 14:49:19 +02:00
fi
fi
fi
fi
Stockholm initial
2016-07-03 17:13:34 +02:00
}
# script to automatically renew any Let's Encrypt certificates
function letsencrypt_renewals {
Include ocsp stapling
2016-08-08 14:49:19 +02:00
if [[ $ONION_ONLY != "no" ]]; then
return
fi
Only update files when they change
2017-08-05 21:08:57 +02:00
renewals_script=/tmp/renewals_letsencrypt
renewals_retry_script=/tmp/renewals_retry_letsencrypt
Include ocsp stapling
2016-08-08 14:49:19 +02:00
renewal_failure_msg=$'The certificate for $LETSENCRYPT_DOMAIN could not be renewed'
renewal_email_title=$'${PROJECT_NAME} Lets Encrypt certificate renewal'
# the main script tries to renew once per month
echo '#!/bin/bash' > $renewals_script
echo '' >> $renewals_script
echo "PROJECT_NAME='${PROJECT_NAME}'" >> $renewals_script
echo 'COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt' >> $renewals_script
echo '' >> $renewals_script
echo 'if [ -d /etc/letsencrypt ]; then' >> $renewals_script
echo ' if [ -f ~/letsencrypt_failed ]; then' >> $renewals_script
echo ' rm ~/letsencrypt_failed' >> $renewals_script
echo ' fi' >> $renewals_script
echo -n ' ADMIN_USERNAME=$(cat $COMPLETION_FILE | grep "Admin user" | ' >> $renewals_script
echo -n "awk -F ':' '{print " >> $renewals_script
echo -n '$2' >> $renewals_script
echo "}')" >> $renewals_script
echo ' ADMIN_EMAIL_ADDRESS=$ADMIN_USERNAME@$HOSTNAME' >> $renewals_script
echo ' for d in /etc/letsencrypt/live/*/ ; do' >> $renewals_script
echo -n ' LETSENCRYPT_DOMAIN=$(echo "$d" | ' >> $renewals_script
echo -n "awk -F '/' '{print " >> $renewals_script
echo -n '$5' >> $renewals_script
echo "}')" >> $renewals_script
echo ' if [ -f /etc/nginx/sites-available/$LETSENCRYPT_DOMAIN ]; then' >> $renewals_script
echo ' ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt' >> $renewals_script
echo ' if [ ! "$?" = "0" ]; then' >> $renewals_script
echo " echo \"${renewal_failure_msg}\" > ~/temp_renewletsencrypt.txt" >> $renewals_script
echo ' echo "" >> ~/temp_renewletsencrypt.txt' >> $renewals_script
echo ' ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt 2>> ~/temp_renewletsencrypt.txt' >> $renewals_script
echo -n " cat ~/temp_renewletsencrypt.txt | mail -s \"${renewal_email_title}\" " >> $renewals_script
echo '$ADMIN_EMAIL_ADDRESS' >> $renewals_script
echo ' rm ~/temp_renewletsencrypt.txt' >> $renewals_script
echo ' if [ ! -f ~/letsencrypt_failed ]; then' >> $renewals_script
echo ' touch ~/letsencrypt_failed' >> $renewals_script
echo ' fi' >> $renewals_script
echo ' fi' >> $renewals_script
echo ' fi' >> $renewals_script
echo ' done' >> $renewals_script
echo 'fi' >> $renewals_script
chmod +x $renewals_script
Only update files when they change
2017-08-05 21:08:57 +02:00
if [ ! -f /etc/cron.monthly/letsencrypt ]; then
cp $renewals_script /etc/cron.monthly/letsencrypt
else
HASH1=$(sha256sum $renewals_script | awk -F ' ' '{print $1}')
HASH2=$(sha256sum /etc/cron.monthly/letsencrypt | awk -F ' ' '{print $1}')
if [[ "$HASH1" != "$HASH2" ]]; then
cp $renewals_script /etc/cron.monthly/letsencrypt
fi
fi
rm $renewals_script
Include ocsp stapling
2016-08-08 14:49:19 +02:00
# a secondary script keeps trying to renew after a failure
echo '#!/bin/bash' > $renewals_retry_script
echo '' >> $renewals_retry_script
echo "PROJECT_NAME='${PROJECT_NAME}'" >> $renewals_retry_script
echo 'COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt' >> $renewals_retry_script
echo '' >> $renewals_retry_script
echo 'if [ -d /etc/letsencrypt ]; then' >> $renewals_retry_script
echo ' if [ -f ~/letsencrypt_failed ]; then' >> $renewals_retry_script
echo ' rm ~/letsencrypt_failed' >> $renewals_retry_script
echo -n ' ADMIN_USERNAME=$(cat $COMPLETION_FILE | grep "Admin user" | ' >> $renewals_retry_script
echo -n "awk -F ':' '{print " >> $renewals_retry_script
echo -n '$2' >> $renewals_retry_script
echo "}')" >> $renewals_retry_script
echo ' ADMIN_EMAIL_ADDRESS=$ADMIN_USERNAME@$HOSTNAME' >> $renewals_retry_script
echo ' for d in /etc/letsencrypt/live/*/ ; do' >> $renewals_retry_script
echo -n ' LETSENCRYPT_DOMAIN=$(echo "$d" | ' >> $renewals_retry_script
echo -n "awk -F '/' '{print " >> $renewals_retry_script
echo -n '$5' >> $renewals_retry_script
echo "}')" >> $renewals_retry_script
echo ' if [ -f /etc/nginx/sites-available/$LETSENCRYPT_DOMAIN ]; then' >> $renewals_retry_script
echo ' ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt' >> $renewals_retry_script
echo ' if [ ! "$?" = "0" ]; then' >> $renewals_retry_script
echo " echo \"${renewal_failure_msg}\" > ~/temp_renewletsencrypt.txt" >> $renewals_retry_script
echo ' echo "" >> ~/temp_renewletsencrypt.txt' >> $renewals_retry_script
echo ' ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt 2>> ~/temp_renewletsencrypt.txt' >> $renewals_retry_script
echo -n " cat ~/temp_renewletsencrypt.txt | mail -s \"${renewal_email_title}\" " >> $renewals_retry_script
echo '$ADMIN_EMAIL_ADDRESS' >> $renewals_retry_script
echo ' rm ~/temp_renewletsencrypt.txt' >> $renewals_retry_script
echo ' if [ ! -f ~/letsencrypt_failed ]; then' >> $renewals_retry_script
echo ' touch ~/letsencrypt_failed' >> $renewals_retry_script
echo ' fi' >> $renewals_retry_script
echo ' fi' >> $renewals_retry_script
echo ' fi' >> $renewals_retry_script
echo ' done' >> $renewals_retry_script
echo ' fi' >> $renewals_retry_script
echo 'fi' >> $renewals_retry_script
chmod +x $renewals_retry_script
Only update files when they change
2017-08-05 21:08:57 +02:00
if [ ! -f /etc/cron.daily/letsencrypt ]; then
cp $renewals_retry_script /etc/cron.daily/letsencrypt
else
HASH1=$(sha256sum $renewals_retry_script | awk -F ' ' '{print $1}')
HASH2=$(sha256sum /etc/cron.daily/letsencrypt | awk -F ' ' '{print $1}')
if [[ "$HASH1" != "$HASH2" ]]; then
cp $renewals_retry_script /etc/cron.daily/letsencrypt
fi
fi
rm $renewals_retry_script
Stockholm initial
2016-07-03 17:13:34 +02:00
}
function configure_php {
php directory
2017-06-03 13:43:06 +02:00
sed -i "s/memory_limit = 128M/memory_limit = ${MAX_PHP_MEMORY}M/g" /etc/php/7.0/fpm/php.ini
sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g' /etc/php/7.0/fpm/php.ini
Missing slash
2017-06-04 11:09:00 +02:00
sed -i "s/memory_limit = -1/memory_limit = ${MAX_PHP_MEMORY}M/g" /etc/php/7.0/cli/php.ini
php directory
2017-06-03 13:43:06 +02:00
sed -i "s/upload_max_filesize = 2M/upload_max_filesize = 50M/g" /etc/php/7.0/fpm/php.ini
sed -i "s/post_max_size = 8M/post_max_size = 50M/g" /etc/php/7.0/fpm/php.ini
Stockholm initial
2016-07-03 17:13:34 +02:00
}
function install_web_server_access_control {
Include ocsp stapling
2016-08-08 14:49:19 +02:00
if [ ! -f /etc/pam.d/nginx ]; then
echo '#%PAM-1.0' > /etc/pam.d/nginx
echo '@include common-auth' >> /etc/pam.d/nginx
echo '@include common-account' >> /etc/pam.d/nginx
echo '@include common-session' >> /etc/pam.d/nginx
fi
Stockholm initial
2016-07-03 17:13:34 +02:00
}
function install_dynamicdns {
Remove hardcoded variants
2016-10-08 20:32:04 +02:00
if [[ $SYSTEM_TYPE == "mesh"* ]]; then
Include ocsp stapling
2016-08-08 14:49:19 +02:00
return
fi
if [[ $ONION_ONLY != "no" ]]; then
return
fi
Check inadyn commit
2017-08-05 18:48:08 +02:00
CURR_INADYN_COMMIT=$(get_completion_param "inadyn commit")
if [[ "${CURR_INADYN_COMMIT}" == "${INADYN_COMMIT}" ]]; then
return
fi
Include ocsp stapling
2016-08-08 14:49:19 +02:00
# update to the next commit
function_check set_repo_commit
set_repo_commit $INSTALL_DIR/inadyn "inadyn commit" "$INADYN_COMMIT" $INADYN_REPO
Tidying
2016-10-16 20:50:56 +02:00
if [[ $(is_completed $FUNCNAME) == "1" ]]; then
Include ocsp stapling
2016-08-08 14:49:19 +02:00
return
fi
# Here we compile from source because the current package
# doesn't support https, which could result in passwords
# being leaked
# Debian version 1.99.4-1
# https version 1.99.8
Quieter install
2016-10-23 20:38:14 +02:00
apt-get -yq install build-essential curl libgnutls28-dev automake1.11
Include ocsp stapling
2016-08-08 14:49:19 +02:00
if [ ! -d $INSTALL_DIR/inadyn ]; then
Include extra repos
2017-06-15 13:43:52 +02:00
if [ -d /repos/inadyn ]; then
mkdir $INSTALL_DIR/inadyn
Copying with hidden files
2017-06-17 19:37:06 +02:00
cp -r -p /repos/inadyn/. $INSTALL_DIR/inadyn
Include extra repos
2017-06-15 13:43:52 +02:00
cd $INSTALL_DIR/inadyn
git pull
else
git_clone $INADYN_REPO $INSTALL_DIR/inadyn
fi
Include ocsp stapling
2016-08-08 14:49:19 +02:00
fi
if [ ! -d $INSTALL_DIR/inadyn ]; then
echo 'inadyn repo not cloned'
echo -n | openssl s_client -showcerts -connect github.com:443 -CApath /etc/ssl/certs
exit 6785
fi
cd $INSTALL_DIR/inadyn
git checkout $INADYN_COMMIT -b $INADYN_COMMIT
Tidying
2016-10-16 20:50:56 +02:00
set_completion_param "inadyn commit" "$INADYN_COMMIT"
Include ocsp stapling
2016-08-08 14:49:19 +02:00
Don't use autogen in inadyn build
2017-05-18 10:56:00 +02:00
#./autogen.sh
Include ocsp stapling
2016-08-08 14:49:19 +02:00
./configure
if [ ! "$?" = "0" ]; then
exit 74890
fi
USE_OPENSSL=1 make
if [ ! "$?" = "0" ]; then
exit 74858
fi
make install
if [ ! "$?" = "0" ]; then
exit 3785
fi
# create an unprivileged user
No permissions on shadow most of the time
2016-11-29 16:00:40 +01:00
#chmod 600 /etc/shadow
#chmod 600 /etc/gshadow
Include ocsp stapling
2016-08-08 14:49:19 +02:00
#useradd -r -s /bin/false debian-inadyn
No permissions on shadow most of the time
2016-11-29 16:00:40 +01:00
#chmod 0000 /etc/shadow
#chmod 0000 /etc/gshadow
Include ocsp stapling
2016-08-08 14:49:19 +02:00
# create a configuration file
echo 'background' > /etc/inadyn.conf
echo 'verbose 1' >> /etc/inadyn.conf
echo 'period 300' >> /etc/inadyn.conf
echo 'startup-delay 60' >> /etc/inadyn.conf
echo 'cache-dir /run/inadyn' >> /etc/inadyn.conf
echo 'logfile /dev/null' >> /etc/inadyn.conf
chmod 600 /etc/inadyn.conf
echo '[Unit]' > /etc/systemd/system/inadyn.service
echo 'Description=inadyn (DynDNS updater)' >> /etc/systemd/system/inadyn.service
echo 'After=network.target' >> /etc/systemd/system/inadyn.service
echo '' >> /etc/systemd/system/inadyn.service
echo '[Service]' >> /etc/systemd/system/inadyn.service
echo 'ExecStart=/usr/local/sbin/inadyn --config /etc/inadyn.conf' >> /etc/systemd/system/inadyn.service
echo 'Restart=always' >> /etc/systemd/system/inadyn.service
echo 'Type=forking' >> /etc/systemd/system/inadyn.service
echo '' >> /etc/systemd/system/inadyn.service
echo '[Install]' >> /etc/systemd/system/inadyn.service
echo 'WantedBy=multi-user.target' >> /etc/systemd/system/inadyn.service
systemctl enable inadyn
systemctl start inadyn
systemctl daemon-reload
Tidying
2016-10-16 20:50:56 +02:00
mark_completed $FUNCNAME
Stockholm initial
2016-07-03 17:13:34 +02:00
}
Update default search engine for all users
2017-09-23 13:17:16 +02:00
function update_default_search_engine {
for d in /home/*/ ; do
USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
if [[ $(is_valid_user "$USERNAME") == "1" ]]; then
if ! grep -q "WWW_HOME" /home/$USERNAME/.bashrc; then
if ! grep -q 'controluser' /home/$USERNAME/.bashrc; then
Avoid duplicate bashrc entries
2017-09-23 13:24:23 +02:00
if ! grep -q 'export WWW_HOME=' /home/$USERNAME/.bashrc; then
echo "export WWW_HOME=$DEFAULT_SEARCH" >> /home/$USERNAME/.bashrc
else
sed -i "s|export WWW_HOME=.*|export WWW_HOME=$DEFAULT_SEARCH|g" /home/$USERNAME/.bashrc
fi
Update default search engine for all users
2017-09-23 13:17:16 +02:00
else
Avoid duplicate bashrc entries
2017-09-23 13:24:23 +02:00
if ! grep -q 'export WWW_HOME=' /home/$USERNAME/.bashrc; then
sed -i "/controluser/i export WWW_HOME=$DEFAULT_SEARCH" /home/$USERNAME/.bashrc
else
sed -i "s|export WWW_HOME=.*|export WWW_HOME=$DEFAULT_SEARCH|g" /home/$USERNAME/.bashrc
fi
Update default search engine for all users
2017-09-23 13:17:16 +02:00
fi
fi
fi
done
}
More consolidation of mesh functions
2016-07-12 11:55:18 +02:00
function install_command_line_browser {
Tidying
2016-10-16 20:50:56 +02:00
if [[ $(is_completed $FUNCNAME) == "1" ]]; then
Include ocsp stapling
2016-08-08 14:49:19 +02:00
return
fi
Quieter install
2016-10-23 20:38:14 +02:00
apt-get -yq install elinks
Update default search engine for all users
2017-09-23 13:17:16 +02:00
update_default_search_engine
Include ocsp stapling
2016-08-08 14:49:19 +02:00
Tidying
2016-10-16 20:50:56 +02:00
mark_completed $FUNCNAME
More consolidation of mesh functions
2016-07-12 11:55:18 +02:00
}
function mesh_web_server {
Include ocsp stapling
2016-08-08 14:49:19 +02:00
if [ -d /etc/apache2 ]; then
Quieter install
2016-10-23 20:38:14 +02:00
chroot "$rootdir" apt-get -yq remove --purge apache2
Include ocsp stapling
2016-08-08 14:49:19 +02:00
chroot "$rootdir" rm -rf /etc/apache2
fi
More consolidation of mesh functions
2016-07-12 11:55:18 +02:00
Quieter install
2016-10-23 20:38:14 +02:00
chroot "$rootdir" apt-get -yq install nginx
More consolidation of mesh functions
2016-07-12 11:55:18 +02:00
Include ocsp stapling
2016-08-08 14:49:19 +02:00
if [ ! -d $rootdir/etc/nginx ]; then
echo $'Unable to install web server'
exit 346825
fi
More consolidation of mesh functions
2016-07-12 11:55:18 +02:00
}
Stockholm initial
2016-07-03 17:13:34 +02:00
function install_web_server {
Include ocsp stapling
2016-08-08 14:49:19 +02:00
if [ $INSTALLING_MESH ]; then
mesh_web_server
return
fi
# update to the next commit
function_check set_repo_commit
lower case
2016-10-02 21:41:56 +02:00
set_repo_commit $INSTALL_DIR/nginx_ensite "nginx-ensite commit" "$NGINX_ENSITE_COMMIT" $NGINX_ENSITE_REPO
Include ocsp stapling
2016-08-08 14:49:19 +02:00
Tidying
2016-10-16 20:50:56 +02:00
if [[ $(is_completed $FUNCNAME) == "1" ]]; then
Include ocsp stapling
2016-08-08 14:49:19 +02:00
return
fi
# remove apache
Quieter install
2016-10-23 20:38:14 +02:00
apt-get -yq remove --purge apache2
Include ocsp stapling
2016-08-08 14:49:19 +02:00
if [ -d /etc/apache2 ]; then
rm -rf /etc/apache2
fi
# install nginx
Install nginx before npm
2017-04-13 21:49:58 +02:00
apt-get -yq install nginx
Update php to version 7.0
2017-05-29 15:40:34 +02:00
apt-get -yq install php-fpm git
Include ocsp stapling
2016-08-08 14:49:19 +02:00
Turn off nginx logs on install
2016-11-18 16:06:14 +01:00
# Turn off logs by default
sed -i 's|access_log.*|access_log = /dev/null;|g' /etc/nginx/nginx.conf
sed -i 's|error_log.*|error_log = /dev/null;|g' /etc/nginx/nginx.conf
Include ocsp stapling
2016-08-08 14:49:19 +02:00
# limit the number of php processes
php directory
2017-06-03 13:43:06 +02:00
sed -i 's/; process.max =.*/process.max = 32/g' /etc/php/7.0/fpm/php-fpm.conf
#sed -i 's/;process_control_timeout =.*/process_control_timeout = 300/g' /etc/php/7.0/fpm/php-fpm.conf
php systemd interval
2017-07-10 10:58:44 +02:00
sed -i 's|;systemd_interval.*|systemd_interval = 10|g' /etc/php/7.0/fpm/php-fpm.conf
More php settings
2017-07-10 11:22:37 +02:00
sed -i 's|;emergency_restart_threshold.*|emergency_restart_threshold = 2|g' /etc/php/7.0/fpm/php-fpm.conf
sed -i 's|emergency_restart_threshold.*|emergency_restart_threshold = 2|g' /etc/php/7.0/fpm/php-fpm.conf
sed -i 's|;emergency_restart_interval.*|emergency_restart_interval = 1m|g' /etc/php/7.0/fpm/php-fpm.conf
sed -i 's|emergency_restart_interval.*|emergency_restart_interval = 1m|g' /etc/php/7.0/fpm/php-fpm.conf
sed -i 's|;process_control_timeout.*|process_control_timeout = 10s|g' /etc/php/7.0/fpm/php-fpm.conf
sed -i 's|process_control_timeout.*|process_control_timeout = 10s|g' /etc/php/7.0/fpm/php-fpm.conf
php directory
2017-06-03 13:43:06 +02:00
if ! grep -q "pm.max_children" /etc/php/7.0/fpm/php-fpm.conf; then
Change php to static processes
2017-07-10 13:40:16 +02:00
echo 'pm = static' >> /etc/php/7.0/fpm/php-fpm.conf
php directory
2017-06-03 13:43:06 +02:00
echo 'pm.max_children = 10' >> /etc/php/7.0/fpm/php-fpm.conf
echo 'pm.start_servers = 2' >> /etc/php/7.0/fpm/php-fpm.conf
echo 'pm.min_spare_servers = 2' >> /etc/php/7.0/fpm/php-fpm.conf
echo 'pm.max_spare_servers = 5' >> /etc/php/7.0/fpm/php-fpm.conf
Change php to static processes
2017-07-10 13:40:16 +02:00
echo 'pm.max_requests = 10' >> /etc/php/7.0/fpm/php-fpm.conf
Include ocsp stapling
2016-08-08 14:49:19 +02:00
fi
php process timeout
2017-07-10 19:30:09 +02:00
if ! grep -q "request_terminate_timeout" /etc/php/7.0/fpm/php-fpm.conf; then
echo 'request_terminate_timeout = 30' >> /etc/php/7.0/fpm/php-fpm.conf
else
sed -i 's|request_terminate_timeout =.*|request_terminate_timeout = 30|g' >> /etc/php/7.0/fpm/php-fpm.conf
fi
sed -i 's|max_execution_time =.*|max_execution_time = 30|g' /etc/php/7.0/fpm/php.ini
Include ocsp stapling
2016-08-08 14:49:19 +02:00
if [ ! -d /etc/nginx ]; then
echo $"ERROR: nginx does not appear to have installed. $CHECK_MESSAGE"
exit 51
fi
# Nginx settings
echo 'user www-data;' > /etc/nginx/nginx.conf
#echo "worker_processes; $CPU_CORES" >> /etc/nginx/nginx.conf
echo 'pid /run/nginx.pid;' >> /etc/nginx/nginx.conf
echo '' >> /etc/nginx/nginx.conf
echo 'events {' >> /etc/nginx/nginx.conf
echo ' worker_connections 50;' >> /etc/nginx/nginx.conf
echo ' # multi_accept on;' >> /etc/nginx/nginx.conf
echo '}' >> /etc/nginx/nginx.conf
echo '' >> /etc/nginx/nginx.conf
echo 'http {' >> /etc/nginx/nginx.conf
echo ' # limit the number of connections per single IP' >> /etc/nginx/nginx.conf
echo ' limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;' >> /etc/nginx/nginx.conf
echo '' >> /etc/nginx/nginx.conf
echo ' # limit the number of requests for a given session' >> /etc/nginx/nginx.conf
echo ' limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=140r/s;' >> /etc/nginx/nginx.conf
echo '' >> /etc/nginx/nginx.conf
echo ' # if the request body size is more than the buffer size, then the entire (or partial) request body is written into a temporary file' >> /etc/nginx/nginx.conf
echo ' client_body_buffer_size 128k;' >> /etc/nginx/nginx.conf
echo '' >> /etc/nginx/nginx.conf
echo ' # headerbuffer size for the request header from client, its set for testing purpose' >> /etc/nginx/nginx.conf
echo ' client_header_buffer_size 3m;' >> /etc/nginx/nginx.conf
echo '' >> /etc/nginx/nginx.conf
echo ' # maximum number and size of buffers for large headers to read from client request' >> /etc/nginx/nginx.conf
echo ' large_client_header_buffers 4 256k;' >> /etc/nginx/nginx.conf
echo '' >> /etc/nginx/nginx.conf
echo ' # read timeout for the request body from client, its set for testing purpose' >> /etc/nginx/nginx.conf
echo ' client_body_timeout 3m;' >> /etc/nginx/nginx.conf
echo '' >> /etc/nginx/nginx.conf
echo ' # how long to wait for the client to send a request header, its set for testing purpose' >> /etc/nginx/nginx.conf
echo ' client_header_timeout 3m;' >> /etc/nginx/nginx.conf
echo '' >> /etc/nginx/nginx.conf
echo ' ##' >> /etc/nginx/nginx.conf
echo ' # Basic Settings' >> /etc/nginx/nginx.conf
echo ' ##' >> /etc/nginx/nginx.conf
echo '' >> /etc/nginx/nginx.conf
echo ' sendfile on;' >> /etc/nginx/nginx.conf
echo ' tcp_nopush on;' >> /etc/nginx/nginx.conf
echo ' tcp_nodelay on;' >> /etc/nginx/nginx.conf
echo ' keepalive_timeout 65;' >> /etc/nginx/nginx.conf
echo ' types_hash_max_size 2048;' >> /etc/nginx/nginx.conf
echo ' server_tokens off;' >> /etc/nginx/nginx.conf
echo '' >> /etc/nginx/nginx.conf
echo ' # server_names_hash_bucket_size 64;' >> /etc/nginx/nginx.conf
echo ' # server_name_in_redirect off;' >> /etc/nginx/nginx.conf
echo '' >> /etc/nginx/nginx.conf
echo ' include /etc/nginx/mime.types;' >> /etc/nginx/nginx.conf
echo ' default_type application/octet-stream;' >> /etc/nginx/nginx.conf
echo '' >> /etc/nginx/nginx.conf
echo ' ##' >> /etc/nginx/nginx.conf
echo ' # Logging Settings' >> /etc/nginx/nginx.conf
echo ' ##' >> /etc/nginx/nginx.conf
echo '' >> /etc/nginx/nginx.conf
Web logs off by default
2016-11-18 19:33:08 +01:00
echo ' access_log /dev/null;' >> /etc/nginx/nginx.conf
echo ' error_log /dev/null;' >> /etc/nginx/nginx.conf
Include ocsp stapling
2016-08-08 14:49:19 +02:00
echo '' >> /etc/nginx/nginx.conf
echo ' ###' >> /etc/nginx/nginx.conf
echo ' # Gzip Settings' >> /etc/nginx/nginx.conf
echo ' ##' >> /etc/nginx/nginx.conf
echo ' gzip on;' >> /etc/nginx/nginx.conf
echo ' gzip_disable "msie6";' >> /etc/nginx/nginx.conf
echo '' >> /etc/nginx/nginx.conf
echo ' # gzip_vary on;' >> /etc/nginx/nginx.conf
echo ' # gzip_proxied any;' >> /etc/nginx/nginx.conf
echo ' # gzip_comp_level 6;' >> /etc/nginx/nginx.conf
echo ' # gzip_buffers 16 8k;' >> /etc/nginx/nginx.conf
echo ' # gzip_http_version 1.1;' >> /etc/nginx/nginx.conf
echo ' # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;' >> /etc/nginx/nginx.conf
echo '' >> /etc/nginx/nginx.conf
echo ' ##' >> /etc/nginx/nginx.conf
echo ' # Virtual Host Configs' >> /etc/nginx/nginx.conf
echo ' ##' >> /etc/nginx/nginx.conf
echo '' >> /etc/nginx/nginx.conf
echo ' include /etc/nginx/conf.d/*.conf;' >> /etc/nginx/nginx.conf
echo ' include /etc/nginx/sites-enabled/*;' >> /etc/nginx/nginx.conf
echo '}' >> /etc/nginx/nginx.conf
# install a script to easily enable and disable nginx virtual hosts
if [ ! -d $INSTALL_DIR ]; then
mkdir $INSTALL_DIR
fi
cd $INSTALL_DIR
function_check git_clone
git_clone $NGINX_ENSITE_REPO $INSTALL_DIR/nginx_ensite
cd $INSTALL_DIR/nginx_ensite
git checkout $NGINX_ENSITE_COMMIT -b $NGINX_ENSITE_COMMIT
Tidying
2016-10-16 20:50:56 +02:00
set_completion_param "nginx-ensite commit" "$NGINX_ENSITE_COMMIT"
Include ocsp stapling
2016-08-08 14:49:19 +02:00
make install
nginx_dissite default
function_check configure_firewall_for_web_access
configure_firewall_for_web_access
Tidying
2016-10-16 20:50:56 +02:00
mark_completed $FUNCNAME
Stockholm initial
2016-07-03 17:13:34 +02:00
}
Remove individual cert files
2016-10-20 23:02:16 +02:00
function remove_certs {
domain_name=$1
if [ ! $domain_name ]; then
return
fi
if [ -f /etc/ssl/certs/${domain_name}.dhparam ]; then
rm /etc/ssl/certs/${domain_name}.dhparam
fi
if [ -f /etc/ssl/certs/${domain_name}.pem ]; then
rm /etc/ssl/certs/${domain_name}.pem
fi
if [ -f /etc/ssl/certs/${domain_name}.crt ]; then
rm /etc/ssl/certs/${domain_name}.crt
fi
if [ -f /etc/ssl/private/${domain_name}.key ]; then
rm /etc/ssl/private/${domain_name}.key
fi
}
Move firewall functions to their logical homes
2016-10-22 19:26:17 +02:00
function configure_firewall_for_web_access {
if [[ $(is_completed $FUNCNAME) == "1" ]]; then
return
fi
if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
# docker does its own firewalling
return
fi
if [[ $ONION_ONLY != "no" ]]; then
return
fi
firewall_add HTTP 80 tcp
firewall_add HTTPS 443 tcp
mark_completed $FUNCNAME
}
Handle prosody letsencrypt certs
2016-10-27 23:51:21 +02:00
function update_default_domain {
Messages
2016-10-30 20:42:39 +01:00
echo $'Updating default domain'
irc configuration for onion only systems
2016-11-01 22:53:25 +01:00
if [[ $ONION_ONLY == 'no' ]]; then
if [ -d /etc/prosody ]; then
Use letsencrypt cert for mumble
2017-05-07 13:55:02 +02:00
if [ -f /etc/mumble-server.ini ]; then
Ensure letsencrypt certs are used where appropriate
2018-01-21 10:58:16 +01:00
if [ ! -f /etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem ]; then
Use letsencrypt cert for mumble
2017-05-07 13:55:02 +02:00
if ! grep -q "mumble.pem" /etc/mumble-server.ini; then
sed -i 's|sslCert=.*|sslCert=/var/lib/mumble-server/mumble.pem|g' /etc/mumble-server.ini
sed -i 's|sslKey=.*|sslKey=/var/lib/mumble-server/mumble.key|g' /etc/mumble-server.ini
systemctl restart mumble
fi
else
Ensure letsencrypt certs are used where appropriate
2018-01-21 10:58:16 +01:00
if ! grep -q "${DEFAULT_DOMAIN_NAME}/fullchain.pem" /etc/mumble-server.ini; then
Use letsencrypt cert for mumble
2017-05-07 13:55:02 +02:00
usermod -a -G ssl-cert mumble-server
Ensure letsencrypt certs are used where appropriate
2018-01-21 10:58:16 +01:00
sed -i "s|sslCert=.*|sslCert=/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/mumble-server.ini
sed -i "s|sslKey=.*|sslKey=/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem|g" /etc/mumble-server.ini
Use letsencrypt cert for mumble
2017-05-07 13:55:02 +02:00
systemctl restart mumble
fi
fi
fi
irc configuration for onion only systems
2016-11-01 22:53:25 +01:00
if [ ! -d /etc/prosody/certs ]; then
mkdir /etc/prosody/certs
fi
cp /etc/ssl/private/xmpp* /etc/prosody/certs
cp /etc/ssl/certs/xmpp* /etc/prosody/certs
Ensure letsencrypt certs are used where appropriate
2018-01-21 10:58:16 +01:00
if [ -f /etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem ]; then
Use letsencrypt cert for mumble
2017-05-07 13:55:02 +02:00
usermod -a -G ssl-cert prosody
Don't repeatedly config congestion control
2017-08-05 23:11:02 +02:00
if grep -q "/etc/prosody/certs/xmpp.key" /etc/prosody/conf.avail/xmpp.cfg.lua; then
Ensure letsencrypt certs are used where appropriate
2018-01-21 10:58:16 +01:00
sed -i "s|/etc/prosody/certs/xmpp.key|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem|g" /etc/prosody/conf.avail/xmpp.cfg.lua
Don't repeatedly config congestion control
2017-08-05 23:11:02 +02:00
fi
if grep -q "/etc/prosody/certs/xmpp.crt" /etc/prosody/conf.avail/xmpp.cfg.lua; then
Ensure letsencrypt certs are used where appropriate
2018-01-21 10:58:16 +01:00
sed -i "s|/etc/prosody/certs/xmpp.crt|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/prosody/conf.avail/xmpp.cfg.lua
Don't repeatedly config congestion control
2017-08-05 23:11:02 +02:00
fi
Prosody conference domain
2016-10-27 23:55:49 +02:00
Don't repeatedly config congestion control
2017-08-05 23:11:02 +02:00
if grep -q "/etc/prosody/certs/xmpp.key" /etc/prosody/prosody.cfg.lua; then
Ensure letsencrypt certs are used where appropriate
2018-01-21 10:58:16 +01:00
sed -i "s|/etc/prosody/certs/xmpp.key|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem|g" /etc/prosody/prosody.cfg.lua
Don't repeatedly config congestion control
2017-08-05 23:11:02 +02:00
fi
if grep -q "/etc/prosody/certs/xmpp.crt" /etc/prosody/prosody.cfg.lua; then
Ensure letsencrypt certs are used where appropriate
2018-01-21 10:58:16 +01:00
sed -i "s|/etc/prosody/certs/xmpp.crt|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/prosody/prosody.cfg.lua
Don't repeatedly config congestion control
2017-08-05 23:11:02 +02:00
fi
Ensure that xmpp cert paths get converted on certificate reissue
2017-05-07 12:49:13 +02:00
Scope
2018-01-21 11:07:21 +01:00
if grep -q "/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key" /etc/prosody/conf.avail/xmpp.cfg.lua; then
sed -i "s|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem|g" /etc/prosody/conf.avail/xmpp.cfg.lua
fi
Ensure that xmpp cert paths get converted on certificate reissue
2017-05-07 12:49:13 +02:00
Scope
2018-01-21 11:07:21 +01:00
if grep -q "/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem" /etc/prosody/conf.avail/xmpp.cfg.lua; then
sed -i "s|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/prosody/conf.avail/xmpp.cfg.lua
fi
Ensure that xmpp cert paths get converted on certificate reissue
2017-05-07 12:49:13 +02:00
Scope
2018-01-21 11:07:21 +01:00
if grep -q "/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key" /etc/prosody/prosody.cfg.lua; then
sed -i "s|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem|g" /etc/prosody/prosody.cfg.lua
fi
Ensure that xmpp cert paths get converted on certificate reissue
2017-05-07 12:49:13 +02:00
Scope
2018-01-21 11:07:21 +01:00
if grep -q "/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem" /etc/prosody/prosody.cfg.lua; then
sed -i "s|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/prosody/prosody.cfg.lua
fi
Ensure that xmpp cert paths get converted on certificate reissue
2017-05-07 12:49:13 +02:00
fi
Permissions and certs for prosody
2016-11-22 12:02:50 +01:00
chown -R prosody:default /etc/prosody
irc configuration for onion only systems
2016-11-01 22:53:25 +01:00
chmod -R 700 /etc/prosody/certs/*
Permissions and certs for prosody
2016-11-22 12:02:50 +01:00
chmod 600 /etc/prosody/prosody.cfg.lua
Only copy prosody modules if the directory exists
2018-01-21 11:10:43 +01:00
if [ -d $INSTALL_DIR/prosody-modules ]; then
cp -r $INSTALL_DIR/prosody-modules/* /var/lib/prosody/prosody-modules/
fi
Ensure correct prosody modules are loaded
2017-07-10 17:36:14 +02:00
chown -R prosody:prosody /var/lib/prosody/prosody-modules
irc configuration for onion only systems
2016-11-01 22:53:25 +01:00
systemctl reload prosody
Use letsencrypt cert with mumble
2016-10-28 14:19:08 +02:00
fi
Change irc certs
2016-10-30 20:34:28 +01:00
irc configuration for onion only systems
2016-11-01 22:53:25 +01:00
if [ -d /home/znc/.znc ]; then
echo $'znc found'
Ensure letsencrypt certs are used where appropriate
2018-01-21 10:58:16 +01:00
if [ -f /etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem ]; then
irc configuration for onion only systems
2016-11-01 22:53:25 +01:00
pkill znc
cat /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem /etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key > /home/znc/.znc/znc.pem
chown znc:znc /home/znc/.znc/znc.pem
chmod 700 /home/znc/.znc/znc.pem
Ensure letsencrypt certs are used where appropriate
2018-01-21 10:58:16 +01:00
sed -i "s|CertFile =.*|CertFile = /etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" /etc/ngircd/ngircd.conf
irc configuration for onion only systems
2016-11-01 22:53:25 +01:00
sed -i "s|DHFile =.*|DHFile = /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.dhparam" /etc/ngircd/ngircd.conf
Ensure letsencrypt certs are used where appropriate
2018-01-21 10:58:16 +01:00
sed -i "s|KeyFile =.*|KeyFile = /etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem" /etc/ngircd/ngircd.conf
irc configuration for onion only systems
2016-11-01 22:53:25 +01:00
echo $'irc certificates updated'
systemctl restart ngircd
su -c 'znc' - znc
fi
Missing fi
2016-10-28 17:00:22 +02:00
fi
Handle dovecot cert
2016-10-31 19:39:35 +01:00
Unfortunately, copying of tls keys for exim seems like the only option
2018-01-05 16:18:07 +01:00
if [ ${#DEFAULT_DOMAIN_NAME} -gt 0 ]; then
if [ -f /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem ]; then
if [ -d /etc/dovecot ]; then
Ensure letsencrypt certs are used where appropriate
2018-01-21 10:58:16 +01:00
if ! grep -q "ssl_cert = </etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" /etc/dovecot/conf.d/10-ssl.conf; then
sed -i "s|#ssl_cert =.*|ssl_cert = </etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/dovecot/conf.d/10-ssl.conf
sed -i "s|ssl_cert =.*|ssl_cert = </etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/dovecot/conf.d/10-ssl.conf
Unfortunately, copying of tls keys for exim seems like the only option
2018-01-05 16:18:07 +01:00
systemctl restart dovecot
fi
fi
if [ -d /etc/exim4 ]; then
Ensure letsencrypt certs are used where appropriate
2018-01-21 10:58:16 +01:00
# Unfortunately there doesn't appear to be any other way than copying certs here
Unfortunately, copying of tls keys for exim seems like the only option
2018-01-05 16:18:07 +01:00
cp /etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/{fullchain,privkey}.pem /etc/exim4/
chown root:Debian-exim /etc/exim4/*.pem
chmod 640 /etc/exim4/*.pem
certificate not certkey
2018-01-05 16:46:26 +01:00
sed -i "s|MAIN_TLS_CERTIFICATE =.*|MAIN_TLS_CERTIFICATE = /etc/exim4/fullchain.pem|g" /etc/exim4/conf.d/main/03_exim4-config_tlsoptions
sed -i "s|MAIN_TLS_CERTIFICATE =.*|MAIN_TLS_CERTIFICATE = /etc/exim4/fullchain.pem|g" /etc/exim4/exim4.conf.template
Unfortunately, copying of tls keys for exim seems like the only option
2018-01-05 16:18:07 +01:00
sed -i "s|MAIN_TLS_PRIVATEKEY =.*|MAIN_TLS_PRIVATEKEY = /etc/exim4/privkey.pem|g" /etc/exim4/conf.d/main/03_exim4-config_tlsoptions
sed -i "s|MAIN_TLS_PRIVATEKEY =.*|MAIN_TLS_PRIVATEKEY = /etc/exim4/privkey.pem|g" /etc/exim4/exim4.conf.template
systemctl restart exim4
Check default domain name is more than zero length
2016-12-05 17:01:19 +01:00
fi
irc configuration for onion only systems
2016-11-01 22:53:25 +01:00
fi
Handle dovecot cert
2016-10-31 19:39:35 +01:00
fi
fi
Handle prosody letsencrypt certs
2016-10-27 23:51:21 +02:00
}
Reorganize matrix
2017-01-01 21:40:08 +01:00
function create_default_web_site {
if [ ! -f /etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME} ]; then
# create a web site for the default domain
if [ ! -d /var/www/${DEFAULT_DOMAIN_NAME}/htdocs ]; then
mkdir -p /var/www/${DEFAULT_DOMAIN_NAME}/htdocs
if [ -d /root/${PROJECT_NAME} ]; then
cd /root/${PROJECT_NAME}/website
./deploy.sh EN /var/www/${DEFAULT_DOMAIN_NAME}/htdocs
else
if [ -d /home/${MY_USERNAME}/${PROJECT_NAME} ]; then
cd /home/${MY_USERNAME}/${PROJECT_NAME}
./deploy.sh EN /var/www/${DEFAULT_DOMAIN_NAME}/htdocs
fi
fi
fi
# add a config for the default domain
nginx_site=/etc/nginx/sites-available/$DEFAULT_DOMAIN_NAME
if [[ $ONION_ONLY == "no" ]]; then
function_check nginx_http_redirect
nginx_http_redirect $DEFAULT_DOMAIN_NAME
echo 'server {' >> $nginx_site
echo ' listen 443 ssl;' >> $nginx_site
echo ' listen [::]:443 ssl;' >> $nginx_site
echo " server_name $DEFAULT_DOMAIN_NAME;" >> $nginx_site
echo '' >> $nginx_site
echo ' # Security' >> $nginx_site
function_check nginx_ssl
Use mobile ciphers for default domain
2017-05-11 13:54:38 +02:00
nginx_ssl $DEFAULT_DOMAIN_NAME mobile
Reorganize matrix
2017-01-01 21:40:08 +01:00
function_check nginx_disable_sniffing
nginx_disable_sniffing $DEFAULT_DOMAIN_NAME
echo ' add_header Strict-Transport-Security max-age=15768000;' >> $nginx_site
echo '' >> $nginx_site
echo ' # Logs' >> $nginx_site
echo ' access_log /dev/null;' >> $nginx_site
echo ' error_log /dev/null;' >> $nginx_site
echo '' >> $nginx_site
echo ' # Root' >> $nginx_site
echo " root /var/www/$DEFAULT_DOMAIN_NAME/htdocs;" >> $nginx_site
echo '' >> $nginx_site
echo ' # Index' >> $nginx_site
echo ' index index.html;' >> $nginx_site
echo '' >> $nginx_site
echo ' # Location' >> $nginx_site
echo ' location / {' >> $nginx_site
function_check nginx_limits
nginx_limits $DEFAULT_DOMAIN_NAME '15m'
echo ' }' >> $nginx_site
echo '' >> $nginx_site
echo ' # Restrict access that is unnecessary anyway' >> $nginx_site
echo ' location ~ /\.(ht|git) {' >> $nginx_site
echo ' deny all;' >> $nginx_site
echo ' }' >> $nginx_site
echo '}' >> $nginx_site
else
echo -n '' > $nginx_site
fi
echo 'server {' >> $nginx_site
echo " listen 127.0.0.1:$DEFAULT_DOMAIN_ONION_PORT default_server;" >> $nginx_site
echo " server_name $DEFAULT_DOMAIN_NAME;" >> $nginx_site
echo '' >> $nginx_site
function_check nginx_disable_sniffing
nginx_disable_sniffing $DEFAULT_DOMAIN_NAME
echo '' >> $nginx_site
echo ' # Logs' >> $nginx_site
echo ' access_log /dev/null;' >> $nginx_site
echo ' error_log /dev/null;' >> $nginx_site
echo '' >> $nginx_site
echo ' # Root' >> $nginx_site
echo " root /var/www/$DEFAULT_DOMAIN_NAME/htdocs;" >> $nginx_site
echo '' >> $nginx_site
echo ' # Location' >> $nginx_site
echo ' location / {' >> $nginx_site
function_check nginx_limits
nginx_limits $DEFAULT_DOMAIN_NAME '15m'
echo ' }' >> $nginx_site
echo '' >> $nginx_site
echo ' # Restrict access that is unnecessary anyway' >> $nginx_site
echo ' location ~ /\.(ht|git) {' >> $nginx_site
echo ' deny all;' >> $nginx_site
echo ' }' >> $nginx_site
echo '}' >> $nginx_site
if [ ! -f /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem ]; then
function_check create_site_certificate
create_site_certificate $DEFAULT_DOMAIN_NAME 'yes'
fi
nginx_ensite $DEFAULT_DOMAIN_NAME
fi
}
Install composer
2017-07-25 23:11:03 +02:00
function install_composer {
# curl -sS https://getcomposer.org/installer | php
if [ -f ~/${PROJECT_NAME}/image_build/composer_install ]; then
cat ~/${PROJECT_NAME}/image_build/composer_install | php
else
if [ -f /home/$MY_USERNAME/${PROJECT_NAME}/image_build/composer_install ]; then
cat /home/$MY_USERNAME/${PROJECT_NAME}/image_build/composer_install | php
fi
fi
Install akaunting with composer
2017-12-20 22:53:18 +01:00
if [ -f composer.phar ]; then
cp composer.phar composer
fi
Install composer
2017-07-25 23:11:03 +02:00
php composer.phar install
if [ ! "$?" = "0" ]; then
echo $'Unable to run composer install'
exit 7252198
fi
}
Disable email chunking on upgrades
2017-11-27 23:46:29 +01:00
function email_disable_chunking {
if [ -f /etc/exim4/conf.d/main/04_exim4-config_chunking ]; then
return
fi
echo "chunking_advertise_hosts =" > /etc/exim4/conf.d/main/04_exim4-config_chunking
update-exim4.conf
dpkg-reconfigure --frontend noninteractive exim4-config
systemctl restart exim4
}
Move tls function to be accessible to upgrade
2017-08-31 20:44:16 +02:00
function email_install_tls {
tls_config_file=/etc/exim4/conf.d/main/03_exim4-config_tlsoptions
tls_auth_config_file=/etc/exim4/conf.d/auth/30_exim4-config_examples
Restart daemon after email config changes
2017-08-31 20:46:25 +02:00
email_config_changed=
Move tls function to be accessible to upgrade
2017-08-31 20:44:16 +02:00
if [ ! -f $tls_config_file ]; then
tls_config_file=/etc/exim4/exim4.conf.template
tls_auth_config_file=$tls_config_file
fi
if [ ! -f /etc/ssl/certs/exim.dhparam ]; then
${PROJECT_NAME}-addcert -h exim --dhkey $DH_KEYLENGTH
check_certificates exim
cp /etc/ssl/certs/exim.dhparam /etc/exim4
chown root:Debian-exim /etc/exim4/exim.dhparam
chmod 640 /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam
Restart daemon after email config changes
2017-08-31 20:46:25 +02:00
email_config_changed=1
Move tls function to be accessible to upgrade
2017-08-31 20:44:16 +02:00
fi
if ! grep -q 'MAIN_TLS_ENABLE = true' $tls_config_file; then
sed -i "/.ifdef MAIN_HARDCODE_PRIMARY_HOSTNAME/i\MAIN_HARDCODE_PRIMARY_HOSTNAME =\nMAIN_TLS_ENABLE = true" $tls_config_file
Restart daemon after email config changes
2017-08-31 20:46:25 +02:00
email_config_changed=1
Move tls function to be accessible to upgrade
2017-08-31 20:44:16 +02:00
fi
if ! grep -q "tls_on_connect_ports=465" $tls_config_file; then
sed -i '/SSL configuration for exim/i\tls_on_connect_ports=465' $tls_config_file
Restart daemon after email config changes
2017-08-31 20:46:25 +02:00
email_config_changed=1
Move tls function to be accessible to upgrade
2017-08-31 20:44:16 +02:00
fi
if grep -q '# login_saslauthd_server' $tls_auth_config_file; then
sed -i '/login_saslauthd_server/,/.endif/ s/# *//' $tls_auth_config_file
Restart daemon after email config changes
2017-08-31 20:46:25 +02:00
email_config_changed=1
Move tls function to be accessible to upgrade
2017-08-31 20:44:16 +02:00
fi
if [ -f /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem ]; then
Unfortunately, copying of tls keys for exim seems like the only option
2018-01-05 16:18:07 +01:00
cp /etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem /etc/exim4/
chown root:Debian-exim /etc/exim4/*.pem
chmod 640 /etc/exim4/*.pem
certificate not certkey
2018-01-05 16:46:26 +01:00
if ! grep -q "MAIN_TLS_CERTIFICATE = /etc/exim4/fullchain.pem" $tls_config_file; then
sed -i "/.ifdef MAIN_TLS_CERTKEY/i\MAIN_TLS_CERTIFICATE = /etc/exim4/fullchain.pem" $tls_config_file
Restart daemon after email config changes
2017-08-31 20:46:25 +02:00
email_config_changed=1
Move tls function to be accessible to upgrade
2017-08-31 20:44:16 +02:00
fi
fi
if [ -f /etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key ]; then
Unfortunately, copying of tls keys for exim seems like the only option
2018-01-05 16:18:07 +01:00
cp /etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem /etc/exim4/
chown root:Debian-exim /etc/exim4/*.pem
chmod 640 /etc/exim4/*.pem
if ! grep -q "MAIN_TLS_PRIVATEKEY = /etc/exim4/privkey.pem" $tls_config_file; then
sed -i "/.ifndef MAIN_TLS_PRIVATEKEY/i\MAIN_TLS_PRIVATEKEY = /etc/exim4/privkey.pem" $tls_config_file
Restart daemon after email config changes
2017-08-31 20:46:25 +02:00
email_config_changed=1
Move tls function to be accessible to upgrade
2017-08-31 20:44:16 +02:00
fi
fi
if ! grep -q "SMTPLISTENEROPTIONS='-oX 465:25:587" /etc/default/exim4; then
sed -i "s|SMTPLISTENEROPTIONS=.*|SMTPLISTENEROPTIONS='-oX 465:25:587 -oP /var/run/exim4/exim.pid'|g" /etc/default/exim4
Restart daemon after email config changes
2017-08-31 20:46:25 +02:00
email_config_changed=1
fi
if [ $email_config_changed ]; then
Remove xinetd when fixing stig tests, since it causes a violation
2017-09-01 12:05:05 +02:00
systemctl restart saslauthd
Restart daemon after email config changes
2017-08-31 20:46:25 +02:00
systemctl restart exim4
Move tls function to be accessible to upgrade
2017-08-31 20:44:16 +02:00
fi
}
Placeholder web user interface
2018-01-07 15:47:43 +01:00
function install_web_local_user_interface {
# TODO
# This is intended as a placeholder for a potential local web user interface
# similar to Plinth or the yunohost admin interface
local_hostname=$(cat /etc/avahi/avahi-daemon.conf | grep 'host-name' | awk -F '=' '{print $2}').local
mkdir -p /var/www/${local_hostname}/htdocs
echo '<html>' > /var/www/${local_hostname}/htdocs/index.html
echo ' <body>' >> /var/www/${local_hostname}/htdocs/index.html
echo " This is a test on $local_hostname" >> /var/www/${local_hostname}/htdocs/index.html
echo ' </body>' >> /var/www/${local_hostname}/htdocs/index.html
echo '</html>' >> /var/www/${local_hostname}/htdocs/index.html
chown -R www-data:www-data /var/www/${local_hostname}/htdocs
nginx_file=/etc/nginx/sites-available/$local_hostname
echo 'server {' > $nginx_file
echo ' listen 80;' >> $nginx_file
echo ' listen [::]:80;' >> $nginx_file
echo " server_name ${local_hostname};" >> $nginx_file
echo " root /var/www/${local_hostname}/htdocs;" >> $nginx_file
echo ' index index.html;' >> $nginx_file
echo '}' >> $nginx_file
nginx_ensite $local_hostname
}
Stockholm initial
2016-07-03 17:13:34 +02:00
# NOTE: deliberately no exit 0