diff --git a/doc/EN/app_mumble.org b/doc/EN/app_mumble.org index ce0058a7..2e046792 100644 --- a/doc/EN/app_mumble.org +++ b/doc/EN/app_mumble.org @@ -49,8 +49,8 @@ Search for and install Plumble. Press the plus button to add a Mumble server. -Enter a label (which can be any name you choose for the server), the default domain name of the Freedombone or preferably the mumble onion address as shown on the *About* screen of the *Administrator control panel*, your username (which can also be anything) and the mumble password which can be found in the *Passwords* section of the *Administrator control panel*. +Enter a label (which can be any name you choose for the server), the default domain name of the Freedombone or preferably the mumble onion address as shown on the *About* screen of the *Administrator control panel*, your username (which can also be anything) and the mumble password which can be found in the *Passwords* section of the *Administrator control panel*. Leave the port number unchanged. -Open the settings. Select General, then Connect via Tor. This will provide better protection, making it more difficult for adversaries to know who is talking to who. +Open the settings. Select *General*, then *Connect via Tor*. This will provide better protection, making it more difficult for adversaries to know who is talking to who. If connecting through Tor is unreliable and causes crashes then unselect *Connect via Tor* on the *General settings* and then just use your ordinary domain name. Selecting the server by pressing on it then connects you to the server so that you can chat with other connected users. diff --git a/doc/EN/fediverse.org b/doc/EN/fediverse.org index 88566d0d..6a8a6277 100644 --- a/doc/EN/fediverse.org +++ b/doc/EN/fediverse.org @@ -39,5 +39,5 @@ It may seem like a good idea and it may seem like you're doing a service to the #+BEGIN_CENTER -This site can also be accessed via a Tor browser at http://pazyv7nkllp76hqr.onion. This documentation is under the [[https://www.gnu.org/licenses/fdl-1.3.txt][GNU Free Documentation License version 1.3]] +This site can also be accessed via a Tor browser at http://7ec7btgr6m7c5r3h.onion. This documentation is under the [[https://www.gnu.org/licenses/fdl-1.3.txt][GNU Free Documentation License version 1.3]] #+END_CENTER diff --git a/doc/EN/homeserver.org b/doc/EN/homeserver.org index c327bf46..05e1efaa 100644 --- a/doc/EN/homeserver.org +++ b/doc/EN/homeserver.org @@ -153,5 +153,5 @@ man freedombone-image #+end_src #+BEGIN_CENTER -This site can also be accessed via a Tor browser at http://pazyv7nkllp76hqr.onion +This site can also be accessed via a Tor browser at http://7ec7btgr6m7c5r3h.onion #+END_CENTER diff --git a/doc/EN/index.org b/doc/EN/index.org index 79f88909..05677b60 100644 --- a/doc/EN/index.org +++ b/doc/EN/index.org @@ -42,5 +42,5 @@ If you find bugs, or want to add a new app to this system see the [[./devguide.h Ready made disk images which can be copied onto USB or microSD drives are [[./downloads/current][available here]]. #+BEGIN_CENTER -This site can also be accessed via a Tor browser at http://pazyv7nkllp76hqr.onion. This documentation is under the [[https://www.gnu.org/licenses/fdl-1.3.txt][GNU Free Documentation License version 1.3]] +This site can also be accessed via a Tor browser at http://7ec7btgr6m7c5r3h.onion. This documentation is under the [[https://www.gnu.org/licenses/fdl-1.3.txt][GNU Free Documentation License version 1.3]] #+END_CENTER diff --git a/doc/EN/mesh.org b/doc/EN/mesh.org index f910f4d9..c90fdd1f 100644 --- a/doc/EN/mesh.org +++ b/doc/EN/mesh.org @@ -35,5 +35,5 @@ Systems only need to be within wifi range of each other for the mesh to be creat Like [[https://libremesh.org][LibreMesh]], this system uses a combination of [[https://en.wikipedia.org/wiki/B.A.T.M.A.N.][batman-adv]] on network layer 2 and [[http://bmx6.net][BMX]] on layer 3. Routing protocols [[http://www.olsr.org][OLSR2]] and [[https://www.irif.fr/~jch/software/babel][Babel]] are also selectable. #+BEGIN_CENTER -This site can also be accessed via a Tor browser at http://pazyv7nkllp76hqr.onion +This site can also be accessed via a Tor browser at http://7ec7btgr6m7c5r3h.onion #+END_CENTER diff --git a/doc/EN/mesh_images.org b/doc/EN/mesh_images.org index c64c61e2..20534c8b 100644 --- a/doc/EN/mesh_images.org +++ b/doc/EN/mesh_images.org @@ -37,7 +37,7 @@ The MultiWriter tool is also available within mesh client images, so that you ca [[file:images/mesh_netbook.jpg]] #+END_CENTER -"Client" isn't exactly the right term, but it's a mesh peer with a user interface. These images can be copied to a USB drive, then you can plug it into a laptop/netbook/desktop machine and boot from it. You will probably also need an Atheros USB wifi dongle (the black protruding object on the left side of the netbook in the picture above), because most built-in wifi usually requires proprietary firmware. In the commands below substitute /dev/sdX with the USB drive device, excluding any trailing numbers (eg. /dev/sdb). The USB drive you're copying to will need to be at least 8GB in size. +"Client" isn't exactly the right term, but it's a mesh peer with a user interface. These images can be copied to a USB drive, then you can plug it into a laptop/netbook/desktop machine and boot from it. You will probably also need an Atheros USB wifi dongle (the black protruding object on the left side of the netbook in the picture above), because most built-in wifi usually requires proprietary firmware. In the commands below substitute /dev/sdX with the USB drive device, excluding any trailing numbers (eg. /dev/sdb). The USB drive you're copying to will need to be at least 16GB in size. #+begin_src bash sudo apt-get install xz-utils wget diff --git a/doc/EN/support.org b/doc/EN/support.org index 4bd5d9bf..98c4c099 100644 --- a/doc/EN/support.org +++ b/doc/EN/support.org @@ -18,13 +18,11 @@ * Contact details -This site can also be accessed via a Tor browser at *http://pazyv7nkllp76hqr.onion* +This site can also be accessed via a Tor browser at *http://7ec7btgr6m7c5r3h.onion* *Email:* bob@freedombone.net -*PGP/GPG Key ID:* EA982E38 - -*PGP/GPG Fingerprint:* D538 1159 CD7A 2F80 2F06 ABA0 0452 CC7C EA98 2E38 +*PGP/GPG Fingerprint:* 9ABB82C00ABF39F82680487DCC2536191FA7C33F *XMPP:* bob@freedombone.net with OMEMO or OTR diff --git a/src/freedombone-app-ghost b/src/freedombone-app-ghost index 5dc44b27..a885b496 100755 --- a/src/freedombone-app-ghost +++ b/src/freedombone-app-ghost @@ -228,14 +228,21 @@ function backup_local_ghost { GHOST_DOMAIN_NAME=$(get_completion_param "ghost domain") fi + suspend_site ${GHOST_DOMAIN_NAME} + systemctl stop ghost + ghost_path=/var/www/${GHOST_DOMAIN_NAME}/htdocs/content if [ -d $ghost_path ]; then - suspend_site ${GHOST_DOMAIN_NAME} - systemctl stop ghost backup_directory_to_usb $ghost_path ghostcontent - systemctl start ghost - restart_site fi + + ghost_path=/var/www/${GHOST_DOMAIN_NAME}/htdocs/current/content + if [ -d $ghost_path ]; then + backup_directory_to_usb $ghost_path ghostcurrent + fi + + systemctl start ghost + restart_site } function restore_local_ghost { @@ -254,12 +261,31 @@ function restore_local_ghost { if [ -d $temp_restore_dir/var/www/$GHOST_DOMAIN_NAME/htdocs/content ]; then cp -r $temp_restore_dir/var/www/$GHOST_DOMAIN_NAME/htdocs/content/* /var/www/$GHOST_DOMAIN_NAME/htdocs/content/ else + if [ ! -d /var/www/$GHOST_DOMAIN_NAME/htdocs/content ]; then + mkdir /var/www/$GHOST_DOMAIN_NAME/htdocs/content + fi cp -r $temp_restore_dir/* /var/www/$GHOST_DOMAIN_NAME/htdocs/content/ fi chown -R ghost:ghost /var/www/$GHOST_DOMAIN_NAME/htdocs/content rm -rf $temp_restore_dir fi + temp_restore_dir=/root/tempghostcurrent + function_check restore_directory_from_usb + restore_directory_from_usb $temp_restore_dir ghostcurrent + if [ -d $temp_restore_dir ]; then + if [ -d $temp_restore_dir/var/www/$GHOST_DOMAIN_NAME/htdocs/current/content ]; then + cp -r $temp_restore_dir/var/www/$GHOST_DOMAIN_NAME/htdocs/current/content/* /var/www/$GHOST_DOMAIN_NAME/htdocs/current/content/ + else + if [ ! -d /var/www/$GHOST_DOMAIN_NAME/htdocs/current/content ]; then + mkdir -p /var/www/$GHOST_DOMAIN_NAME/htdocs/current/content + fi + cp -r $temp_restore_dir/* /var/www/$GHOST_DOMAIN_NAME/htdocs/current/content/ + fi + chown -R ghost:ghost /var/www/$GHOST_DOMAIN_NAME/htdocs/current/content + rm -rf $temp_restore_dir + fi + systemctl start ghost restart_site fi @@ -271,15 +297,27 @@ function backup_remote_ghost { GHOST_DOMAIN_NAME=$(get_completion_param "ghost domain") fi + suspend_site ${GHOST_DOMAIN_NAME} + temp_backup_dir=/var/www/${GHOST_DOMAIN_NAME}/htdocs/content if [ -d $temp_backup_dir ]; then - suspend_site ${GHOST_DOMAIN_NAME} backup_directory_to_friend $temp_backup_dir ghostcontent - restart_site else + restart_site echo $"Ghost domain specified but not found in /var/www/${GHOST_DOMAIN_NAME}" exit 2578 fi + + temp_backup_dir=/var/www/${GHOST_DOMAIN_NAME}/htdocs/current/content + if [ -d $temp_backup_dir ]; then + backup_directory_to_friend $temp_backup_dir ghostcurrent + else + restart_site + echo $"Ghost domain specified but not found in $temp_backup_dir" + exit 78353 + fi + + restart_site } function restore_remote_ghost { @@ -298,12 +336,31 @@ function restore_remote_ghost { if [ -d $temp_restore_dir/var/www/$GHOST_DOMAIN_NAME/htdocs/content ]; then cp -r $temp_restore_dir/var/www/$GHOST_DOMAIN_NAME/htdocs/content/* /var/www/$GHOST_DOMAIN_NAME/htdocs/content/ else + if [ ! -d /var/www/$GHOST_DOMAIN_NAME/htdocs/content ]; then + mkdir /var/www/$GHOST_DOMAIN_NAME/htdocs/content + fi cp -r $temp_restore_dir/* /var/www/$GHOST_DOMAIN_NAME/htdocs/content/ fi chown -R ghost: /var/www/$GHOST_DOMAIN_NAME/htdocs rm -rf $temp_restore_dir fi + temp_restore_dir=/root/tempghostcurrent + function_check restore_directory_from_friend + restore_directory_from_friend $temp_restore_dir ghostcurrent + if [ -d $temp_restore_dir ]; then + if [ -d $temp_restore_dir/var/www/$GHOST_DOMAIN_NAME/htdocs/current/content ]; then + cp -r $temp_restore_dir/var/www/$GHOST_DOMAIN_NAME/htdocs/current/content/* /var/www/$GHOST_DOMAIN_NAME/htdocs/current/content/ + else + if [ ! -d /var/www/$GHOST_DOMAIN_NAME/htdocs/current/content ]; then + mkdir -p /var/www/$GHOST_DOMAIN_NAME/htdocs/current/content + fi + cp -r $temp_restore_dir/* /var/www/$GHOST_DOMAIN_NAME/htdocs/current/content/ + fi + chown -R ghost: /var/www/$GHOST_DOMAIN_NAME/htdocs + rm -rf $temp_restore_dir + fi + systemctl start ghost restart_site } diff --git a/src/freedombone-app-koel b/src/freedombone-app-koel index 9a21b07c..f38a2ca3 100755 --- a/src/freedombone-app-koel +++ b/src/freedombone-app-koel @@ -39,7 +39,7 @@ KOEL_CODE= KOEL_ONION_PORT=8118 KOEL_PORT=9002 KOEL_REPO="https://github.com/phanan/koel" -KOEL_COMMIT='70464a' +KOEL_COMMIT='8e9b021aa09f2b1460977bdd52fff14ea2bc1607' KOEL_ADMIN_PASSWORD= koel_variables=(ONION_ONLY diff --git a/src/freedombone-app-lychee b/src/freedombone-app-lychee index 6c970b98..727072bf 100755 --- a/src/freedombone-app-lychee +++ b/src/freedombone-app-lychee @@ -163,11 +163,22 @@ function restore_local_lychee { LYCHEE_DOMAIN_NAME=$(get_completion_param "lychee domain") fi if [ $LYCHEE_DOMAIN_NAME ]; then + suspend_site ${LYCHEE_DOMAIN_NAME} + function_check lychee_create_database lychee_create_database function_check restore_database restore_database lychee ${LYCHEE_DOMAIN_NAME} + + if [ -f /var/www/$LYCHEE_DOMAIN_NAME/htdocs/data/config.php ]; then + MARIADB_PASSWORD=$(${PROJECT_NAME}-pass -u root -a mariadb) + sed -i "s|dbPassword.*|dbPassword = '$MARIADB_PASSWORD';|g" /var/www/$LYCHEE_DOMAIN_NAME/htdocs/data/config.php + MARIADB_PASSWORD= + fi + + restart_site + chown -R lychee: /var/www/$LYCHEE_DOMAIN_NAME/htdocs/ fi } @@ -195,12 +206,21 @@ function restore_remote_lychee { LYCHEE_DOMAIN_NAME=$(get_completion_param "lychee domain") fi + suspend_site ${LYCHEE_DOMAIN_NAME} + function_check restore_database_from_friend function_check lychee_create_database lychee_create_database restore_database_from_friend lychee ${LYCHEE_DOMAIN_NAME} + + if [ -f /var/www/$LYCHEE_DOMAIN_NAME/htdocs/data/config.php ]; then + MARIADB_PASSWORD=$(${PROJECT_NAME}-pass -u root -a mariadb) + sed -i "s|dbPassword.*|dbPassword = '$MARIADB_PASSWORD';|g" /var/www/$LYCHEE_DOMAIN_NAME/htdocs/data/config.php + MARIADB_PASSWORD= + fi + restart_site chown -R lychee: /var/www/$LYCHEE_DOMAIN_NAME/htdocs/ } diff --git a/src/freedombone-app-mumble b/src/freedombone-app-mumble index 6dc411ff..71a1b5fd 100755 --- a/src/freedombone-app-mumble +++ b/src/freedombone-app-mumble @@ -43,6 +43,7 @@ MUMBLE_DATABASE="mumble-server.sqlite" MUMBLE_CONFIG_FILE="mumble-server.ini" mumble_variables=(MY_USERNAME + DEFAULT_DOMAIN_NAME MUMBLE_PORT ONION_ONLY ADMIN_USERNAME) @@ -84,6 +85,21 @@ function upgrade_mumble { if [ -d /etc/letsencrypt ]; then usermod -a -G ssl-cert mumble-server fi + + if [ ! -f /etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem ]; then + if ! grep -q "mumble.pem" /etc/mumble-server.ini; then + sed -i 's|sslCert=.*|sslCert=/var/lib/mumble-server/mumble.pem|g' /etc/mumble-server.ini + sed -i 's|sslKey=.*|sslKey=/var/lib/mumble-server/mumble.key|g' /etc/mumble-server.ini + systemctl restart mumble + fi + else + if ! grep -q "${DEFAULT_DOMAIN_NAME}/fullchain.pem" /etc/mumble-server.ini; then + usermod -a -G ssl-cert mumble-server + sed -i "s|sslCert=.*|sslCert=/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/mumble-server.ini + sed -i "s|sslKey=.*|sslKey=/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem|g" /etc/mumble-server.ini + systemctl restart mumble + fi + fi } function backup_local_mumble { @@ -242,7 +258,7 @@ function install_mumble { if [ ! -d /var/www/${DEFAULT_DOMAIN_NAME}/htdocs ]; then mkdir /var/www/${DEFAULT_DOMAIN_NAME}/htdocs fi - if [ ! -f /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem ]; then + if [ ! -f /etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem ]; then if [ -f /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.crt ]; then rm /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.crt fi @@ -265,7 +281,7 @@ function install_mumble { # Make an ssl cert for the server - if [ ! -f /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem ]; then + if [ ! -f /etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem ]; then if [ ! -f /etc/ssl/certs/mumble.dhparam ]; then ${PROJECT_NAME}-addcert -h mumble --dhkey $DH_KEYLENGTH function_check check_certificates @@ -307,12 +323,12 @@ function install_mumble { echo 'allowping=False' >> /etc/mumble-server.ini fi sed -i 's|allowping=.*|allowping=False|g' /etc/mumble-server.ini - if [ ! -f /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem ]; then + if [ ! -f /etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem ]; then sed -i 's|#sslCert=.*|sslCert=/var/lib/mumble-server/mumble.pem|g' /etc/mumble-server.ini sed -i 's|#sslKey=.*|sslKey=/var/lib/mumble-server/mumble.key|g' /etc/mumble-server.ini else - sed -i "s|#sslCert=.*|sslCert=/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem|g" /etc/mumble-server.ini - sed -i "s|#sslKey=.*|sslKey=/etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key|g" /etc/mumble-server.ini + sed -i "s|#sslCert=.*|sslCert=/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/mumble-server.ini + sed -i "s|#sslKey=.*|sslKey=/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem|g" /etc/mumble-server.ini fi sed -i 's|#certrequired=.*|certrequired=True|g' /etc/mumble-server.ini sed -i 's|users=100|users=10|g' /etc/mumble-server.ini diff --git a/src/freedombone-app-pleroma b/src/freedombone-app-pleroma index ff11f828..4e3f76c5 100755 --- a/src/freedombone-app-pleroma +++ b/src/freedombone-app-pleroma @@ -58,6 +58,8 @@ PLEROMA_TITLE='Pleroma Server' # Number of months after which posts expire PLEROMA_EXPIRE_MONTHS=3 +pleroma_expire_posts_script=/usr/bin/pleroma-expire-posts +blocking_script_file=/usr/bin/pleroma-blocking pleroma_variables=(ONION_ONLY PLEROMA_DOMAIN_NAME @@ -70,6 +72,81 @@ pleroma_variables=(ONION_ONLY MY_EMAIL_ADDRESS MY_USERNAME) +function create_pleroma_blocklist { + echo '#!/bin/bash' > $blocking_script_file + echo "if [ ! -f /root/${PROJECT_NAME}-firewall-domains.cfg ]; then" >> $blocking_script_file + echo ' exit 0' >> $blocking_script_file + echo 'fi' >> $blocking_script_file + echo 'cd /etc/postgresql' >> $blocking_script_file + echo 'while read blocked; do' >> $blocking_script_file + echo ' if [[ "$blocked" == *"."* || "$blocked" == *"@"* ]]; then' >> $blocking_script_file + echo ' if [ ${#blocked} -gt 4 ]; then' >> $blocking_script_file + echo " sudo -u postgres psql -d pleroma -c \"DELETE FROM objects WHERE data->>'content' ilike '%\${blocked}%' or data->>'actor' ilike '%\${blocked}%' or data->>'to' ilike '%\${blocked}%' or data->>'id' ilike '%\${blocked}%' or data->>'external_url' ilike '%\${blocked}%'\"" >> $blocking_script_file + echo " sudo -u postgres psql -d pleroma -c \"DELETE FROM users WHERE nickname ilike '%\${blocked}%'\"" >> $blocking_script_file + echo ' if [[ "$blocked" != *"@"* ]]; then' >> $blocking_script_file + echo " sudo -u postgres psql -d pleroma -c \"DELETE FROM websub_server_subscriptions WHERE callback like '%\${blocked}%'\"" >> $blocking_script_file + echo ' fi' >> $blocking_script_file + echo ' fi' >> $blocking_script_file + echo ' fi' >> $blocking_script_file + echo "done > $blocking_script_file + chmod +x $blocking_script_file + + if ! grep -q "$blocking_script_file" /etc/crontab; then + echo "*/2 * * * * root $blocking_script_file > /dev/null" >> /etc/crontab + fi +} + +function expire_pleroma_posts { + domain_name=$1 + expire_months=$3 + + if [ ! $expire_months ]; then + expire_months=3 + fi + + expire_days=$((expire_months * 30)) + + # files are what take up most of the backup time, so don't keep them for very long + expire_days_files=7 + + # To prevent the database size from growing endlessly this script expires posts + # after a number of months + if [ ! -d /etc/pleroma ]; then + return + fi + + echo '#!/bin/bash' > $pleroma_expire_posts_script + echo "plmonths=\"$PLEROMA_EXPIRE_MONTHS\"" >> $pleroma_expire_posts_script + echo 'if [ ${#plmonths} -eq 0 ]; then' >> $pleroma_expire_posts_script + echo ' exit 1' >> $pleroma_expire_posts_script + echo 'fi' >> $pleroma_expire_posts_script + echo 'if [[ "$plmonths" == "0" ]]; then' >> $pleroma_expire_posts_script + echo ' exit 2' >> $pleroma_expire_posts_script + echo 'fi' >> $pleroma_expire_posts_script + echo 'oldate=$(date +%Y-%m-%d --date="$plmonths months ago")' >> $pleroma_expire_posts_script + echo 'cd /etc/postgresql' >> $pleroma_expire_posts_script + echo "sudo -u postgres psql -d pleroma -c \"DELETE FROM notifications WHERE inserted_at <= '\$oldate 01:01:01'\"" >> $pleroma_expire_posts_script + echo "sudo -u postgres psql -d pleroma -c \"DELETE FROM objects WHERE inserted_at <= '\$oldate 01:01:01'\"" >> $pleroma_expire_posts_script + chmod +x $pleroma_expire_posts_script + + pleroma_expire_script=/etc/cron.daily/pleroma-expire + echo '#!/bin/bash' > $pleroma_expire_script + echo "find /etc/pleroma/uploads/* -mtime +${expire_days_files} -exec rm -rf {} +" >> $pleroma_expire_script + echo "$pleroma_expire_posts_script 2> /dev/null" >> $pleroma_expire_script + chmod +x $pleroma_expire_script + + # remove any old cron job + if grep -q "pleroma-expire" /etc/crontab; then + sed -i "/pleroma-expire/d" /etc/crontab + rm /usr/bin/pleroma-expire + fi + + # remove old expire script + if [ -f /etc/cron.weekly/clear-pleroma-database ]; then + rm /etc/cron.weekly/clear-pleroma-database + fi +} + function pleroma_recompile { # necessary after parameter changes chown -R pleroma:pleroma $PLEROMA_DIR @@ -80,6 +157,7 @@ function pleroma_recompile { if [ -f /etc/systemd/system/pleroma.service ]; then systemctl restart pleroma fi + } function logging_on_pleroma { @@ -353,6 +431,7 @@ function pleroma_set_title { function pleroma_set_expire_months { PLEROMA_DOMAIN_NAME=$(get_completion_param "pleroma domain") + read_config_param "PLEROMA_DOMAIN_NAME" read_config_param "PLEROMA_EXPIRE_MONTHS" data=$(tempfile 2>/dev/null) @@ -378,7 +457,8 @@ function pleroma_set_expire_months { PLEROMA_EXPIRE_MONTHS=$new_expiry_months write_config_param "PLEROMA_EXPIRE_MONTHS" "$PLEROMA_EXPIRE_MONTHS" - # TODO + expire_pleroma_posts $PLEROMA_DOMAIN_NAME $PLEROMA_EXPIRE_MONTHS + create_pleroma_blocklist dialog --title $"Set Pleroma post expiry period" \ --msgbox $"Expiry period set to $PLEROMA_EXPIRE_MONTHS months" 6 60 @@ -499,6 +579,7 @@ function pleroma_add_emoji { } function configure_interactive_pleroma { + read_config_param PLEROMA_DOMAIN_NAME read_config_param PLEROMA_EXPIRE_MONTHS while true do @@ -531,6 +612,16 @@ function configure_interactive_pleroma { } function upgrade_pleroma { + read_config_param PLEROMA_DOMAIN_NAME + read_config_param PLEROMA_EXPIRE_MONTHS + + if [ ! -f $pleroma_expire_posts_script ]; then + expire_pleroma_posts $PLEROMA_DOMAIN_NAME $PLEROMA_EXPIRE_MONTHS + fi + if [ ! -f $blocking_script_file ]; then + create_pleroma_blocklist + fi + CURR_PLEROMA_COMMIT=$(get_completion_param "pleroma commit") if [[ "$CURR_PLEROMA_COMMIT" == "$PLEROMA_COMMIT" ]]; then return @@ -542,6 +633,9 @@ function upgrade_pleroma { sudo -u pleroma mix deps.get pleroma_recompile + + expire_pleroma_posts $PLEROMA_DOMAIN_NAME $PLEROMA_EXPIRE_MONTHS + create_pleroma_blocklist } function backup_local_pleroma { @@ -688,6 +782,7 @@ function remove_pleroma { remove_completion_param install_pleroma sed -i '/pleroma domain/d' $COMPLETION_FILE sed -i '/pleroma commit/d' $COMPLETION_FILE + sed -i "/$blocking_script_file/d" /etc/crontab function_check remove_ddns_domain remove_ddns_domain $PLEROMA_DOMAIN_NAME @@ -900,6 +995,8 @@ function install_pleroma { fi fi + create_pleroma_blocklist + # daemon echo '[Unit]' > /etc/systemd/system/pleroma.service echo 'Description=Pleroma social network' >> /etc/systemd/system/pleroma.service diff --git a/src/freedombone-app-riot b/src/freedombone-app-riot index 2ed55775..bd17550f 100755 --- a/src/freedombone-app-riot +++ b/src/freedombone-app-riot @@ -65,6 +65,10 @@ function add_user_riot { echo '0' } +function riot_remove_bad_links { + sed -i '/riot.im/d' /var/www/$RIOT_DOMAIN_NAME/htdocs/home.html +} + function install_interactive_riot { if [[ $ONION_ONLY != "no" ]]; then RIOT_DOMAIN_NAME='riot.local' @@ -177,6 +181,7 @@ function upgrade_riot { riot_download sed -i "s|riot version.*|riot version:$RIOT_VERSION|g" ${COMPLETION_FILE} + riot_remove_bad_links systemctl restart nginx } @@ -246,23 +251,25 @@ function install_riot { riot_download cd /var/www/$RIOT_DOMAIN_NAME/htdocs - cp config.sample.json config.json if [[ $ONION_ONLY == 'no' ]]; then - sed -i "s|\"default_hs_url\":.*|\"default_hs_url\": \"https://${MATRIX_DOMAIN_NAME}\",|g" config.json - sed -i "s|\"default_is_url\":.*|\"default_is_url\": \"https://${MATRIX_DOMAIN_NAME}\",|g" config.json - sed -i "s|\"integrations_ui_url\":.*|\"integrations_ui_url\": \"\",|g" config.json - sed -i "s|\"integrations_rest_url\":.*|\"integrations_rest_url\": \"\",|g" config.json - sed -i "s|\"bug_report_endpoint_url\":.*|\"bug_report_endpoint_url\": \"https://${MATRIX_DOMAIN_NAME}/bugs\",|g" config.json - sed -i "/\"servers\":/a \"${MATRIX_DOMAIN_NAME}\"," config.json + riot_config_file="config.${RIOT_DOMAIN_NAME}.json" + cp config.sample.json $riot_config_file + sed -i "s|\"default_hs_url\":.*|\"default_hs_url\": \"https://${MATRIX_DOMAIN_NAME}\",|g" $riot_config_file + sed -i "s|\"default_is_url\":.*|\"default_is_url\": \"https://${MATRIX_DOMAIN_NAME}\",|g" $riot_config_file + sed -i "s|\"bug_report_endpoint_url\":.*|\"bug_report_endpoint_url\": \"https://${MATRIX_DOMAIN_NAME}/bugs\",|g" $riot_config_file + sed -i "/\"servers\":/a \"${MATRIX_DOMAIN_NAME}\"," $riot_config_file else - sed -i "s|\"default_hs_url\":.*|\"default_hs_url\": \"http://${MATRIX_ONION_DOMAIN_NAME}\",|g" config.json - sed -i "s|\"default_is_url\":.*|\"default_is_url\": \"http://${MATRIX_ONION_DOMAIN_NAME}\",|g" config.json - sed -i "s|\"integrations_ui_url\":.*|\"integrations_ui_url\": \"\",|g" config.json - sed -i "s|\"integrations_rest_url\":.*|\"integrations_rest_url\": \"\",|g" config.json - sed -i "s|\"bug_report_endpoint_url\":.*|\"bug_report_endpoint_url\": \"http://${MATRIX_ONION_DOMAIN_NAME}/bugs\",|g" config.json - sed -i "/\"servers\":/a \"${MATRIX_ONION_DOMAIN_NAME}\"," config.json + riot_config_file="config.${MATRIX_ONION_DOMAIN_NAME}.json" + cp config.sample.json $riot_config_file + sed -i "s|\"default_hs_url\":.*|\"default_hs_url\": \"http://${MATRIX_ONION_DOMAIN_NAME}\",|g" $riot_config_file + sed -i "s|\"default_is_url\":.*|\"default_is_url\": \"http://${MATRIX_ONION_DOMAIN_NAME}\",|g" $riot_config_file + sed -i "s|\"bug_report_endpoint_url\":.*|\"bug_report_endpoint_url\": \"http://${MATRIX_ONION_DOMAIN_NAME}/bugs\",|g" $riot_config_file + sed -i "/\"servers\":/a \"${MATRIX_ONION_DOMAIN_NAME}\"," $riot_config_file fi + sed -i "s|\"integrations_ui_url\":.*|\"integrations_ui_url\": \"\",|g" $riot_config_file + sed -i "s|\"integrations_rest_url\":.*|\"integrations_rest_url\": \"\",|g" $riot_config_file + sed -i 's|https://piwik.riot.im/||g' $riot_config_file RIOT_ONION_HOSTNAME=$(add_onion_service riot 80 ${RIOT_ONION_PORT}) @@ -340,6 +347,7 @@ function install_riot { function_check add_ddns_domain add_ddns_domain $RIOT_DOMAIN_NAME + riot_remove_bad_links chown -R www-data:www-data /var/www/$RIOT_DOMAIN_NAME/htdocs systemctl restart nginx diff --git a/src/freedombone-app-syncthing b/src/freedombone-app-syncthing index 9fe808a5..509fae0f 100755 --- a/src/freedombone-app-syncthing +++ b/src/freedombone-app-syncthing @@ -13,7 +13,7 @@ # License # ======= # -# Copyright (C) 2014-2017 Bob Mottram +# Copyright (C) 2014-2018 Bob Mottram # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as published by @@ -318,14 +318,6 @@ function restore_local_syncthing { mkdir -p $SYNCTHING_SHARED_DATA fi cp -r ${temp_restore_dir}shared/* $SYNCTHING_SHARED_DATA/ - - if [ ! "$?" = "0" ]; then - set_user_permissions - backup_unmount_drive - systemctl start syncthing - systemctl start cron - exit 37904 - fi rm -rf ${temp_restore_dir}shared fi @@ -341,7 +333,15 @@ function restore_local_syncthing { if [ -d ${temp_restore_dir}/home/$USERNAME/Sync ]; then cp -r ${temp_restore_dir}/home/$USERNAME/Sync /home/$USERNAME/ else - cp -r ${temp_restore_dir}/* /home/$USERNAME/Sync/ + if [ ! -d /home/$USERNAME/Sync ]; then + mkdir /home/$USERNAME/Sync + fi + if [ -d /root/Sync ]; then + cp -r /root/Sync/* /home/$USERNAME/Sync/ + rm -rf /root/Sync + else + cp -r ${temp_restore_dir}/* /home/$USERNAME/Sync/ + fi fi if [ ! "$?" = "0" ]; then rm -rf ${temp_restore_dir} @@ -425,7 +425,7 @@ function restore_remote_syncthing { if [ ! -d $SYNCTHING_CONFIG_PATH ]; then mkdir -p $SYNCTHING_CONFIG_PATH fi - cp -r ${temp_restore_dir}config/* $SYNCTHING_CONFIG_PATH/ + cp -r ${temp_restore_dir}/* $SYNCTHING_CONFIG_PATH/ if [ ! "$?" = "0" ]; then systemctl start syncthing systemctl start cron @@ -439,17 +439,11 @@ function restore_remote_syncthing { temp_restore_dir=/root/tempsyncthingshared function_check restore_directory_from_friend restore_directory_from_friend $temp_restore_dir syncthingshared - #cp -r $temp_restore_dir/* / if [ ! -d $SYNCTHING_SHARED_DATA ]; then mkdir -p $SYNCTHING_SHARED_DATA fi - cp -r ${temp_restore_dir}shared/* $SYNCTHING_SHARED_DATA/ - if [ ! "$?" = "0" ]; then - systemctl start syncthing - systemctl start cron - exit 37904 - fi - rm -rf $temp_restore_dir + cp -r ${temp_restore_dir}/* $SYNCTHING_SHARED_DATA/ + rm -rf ${temp_restore_dir} fi if [ -d $SERVER_DIRECTORY/backup/syncthing ]; then @@ -466,7 +460,15 @@ function restore_remote_syncthing { if [ -d $temp_restore_dir/home/$USERNAME/Sync ]; then cp -r $temp_restore_dir/home/$USERNAME/Sync /home/$USERNAME/ else - cp -r $temp_restore_dir/* /home/$USERNAME/Sync/ + if [ ! -d /home/$USERNAME/Sync ]; then + mkdir /home/$USERNAME/Sync + fi + if [ -d /root/Sync ]; then + cp -r /root/Sync/* /home/$USERNAME/Sync/ + rm -rf /root/Sync + else + cp -r ${temp_restore_dir}/* /home/$USERNAME/Sync/ + fi fi if [ ! "$?" = "0" ]; then rm -rf $temp_restore_dir diff --git a/src/freedombone-app-xmpp b/src/freedombone-app-xmpp index b644af42..cf1eddc0 100755 --- a/src/freedombone-app-xmpp +++ b/src/freedombone-app-xmpp @@ -407,6 +407,25 @@ function upgrade_xmpp { update_prosody_modules xmpp_onion_addresses /etc/prosody/prosody.cfg.lua + if grep -q "/etc/ssl/certs/xmpp.dhparam" /etc/prosody/prosody.cfg.lua; then + cp /etc/ssl/certs/xmpp.dhparam /etc/prosody/xmpp.dhparam + chown prosody:prosody /etc/prosody/xmpp.dhparam + sed -i 's|/etc/ssl/certs/xmpp.dhparam|/etc/prosody/xmpp.dhparam|g' /etc/prosody/prosody.cfg.lua + sed -i 's|/etc/ssl/certs/xmpp.dhparam|/etc/prosody/xmpp.dhparam|g' /etc/prosody/conf.avail/xmpp.cfg.lua + fi + + if grep -q "/etc/ssl/private/xmpp.key" /etc/prosody/prosody.cfg.lua; then + if [ -f /etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem ]; then + sed -i "s|/etc/ssl/private/xmpp.key|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem|g" /etc/prosody/prosody.cfg.lua + fi + fi + + if grep -q "/etc/ssl/certs/xmpp.crt" /etc/prosody/prosody.cfg.lua; then + if [ -f /etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem ]; then + sed -i "s|/etc/ssl/certs/xmpp.crt|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/prosody/prosody.cfg.lua + fi + fi + curr_prosody_filename=$(cat $COMPLETION_FILE | grep "prosody_filename" | awk -F ':' '{print $2}') if [[ "$curr_prosody_filename" != "$prosody_filename" ]]; then if [ -d ${INSTALL_DIR}/${prosody_filename} ]; then @@ -1051,9 +1070,28 @@ function install_xmpp { chmod -R 700 /etc/prosody/conf.d usermod -a -G www-data prosody + # Avoid STIG failures + if [ -f /usr/lib/ssl/private/xmpp.key ]; then + chown root:root /usr/lib/ssl/private/xmpp.key + fi + if [ -f /usr/lib/ssl/certs/xmpp.crt ]; then + chown root:root /usr/lib/ssl/certs/xmpp.crt + fi + if [ -f /usr/lib/ssl/certs/xmpp.dhparam ]; then + chown root:root /usr/lib/ssl/certs/xmpp.dhparam + fi + if [ -d /etc/letsencrypt ]; then usermod -a -G ssl-cert prosody fi + + if [ -f /etc/ssl/certs/xmpp.dhparam ]; then + cp /etc/ssl/certs/xmpp.dhparam /etc/prosody/xmpp.dhparam + chown prosody:prosody /etc/prosody/xmpp.dhparam + sed -i 's|/etc/ssl/certs/xmpp.dhparam|/etc/prosody/xmpp.dhparam|g' /etc/prosody/prosody.cfg.lua + sed -i 's|/etc/ssl/certs/xmpp.dhparam|/etc/prosody/xmpp.dhparam|g' /etc/prosody/conf.avail/xmpp.cfg.lua + fi + apt-mark -q hold prosody systemctl restart prosody diff --git a/src/freedombone-controlpanel b/src/freedombone-controlpanel index dcc71f06..501d4de1 100755 --- a/src/freedombone-controlpanel +++ b/src/freedombone-controlpanel @@ -1326,9 +1326,14 @@ function reset_tripwire { return fi if [ ! -f /etc/tripwire/${HOSTNAME}-local.key ]; then - echo $'Error: missing local key' - any_key - return + if [ -f /etc/tripwire/${PROJECT_NAME}-local.key ]; then + mv /etc/tripwire/${PROJECT_NAME}-local.key /etc/tripwire/${HOSTNAME}-local.key + mv /etc/tripwire/${PROJECT_NAME}-site.key /etc/tripwire/${HOSTNAME}-site.key + else + echo $'Error: missing local key' + any_key + return + fi fi clear echo $'Turing off logging...' @@ -1921,7 +1926,7 @@ function domain_blocking_add { trap "rm -f $data" 0 1 2 5 15 dialog --title $"Block a domain or user" \ --backtitle $"Freedombone Control Panel" \ - --inputbox $"Enter the domain name or GNU Social/postActiv nick@domain that you wish to block" 8 60 "" 2>$data + --inputbox $"Enter the domain name or GNU Social/postActiv/Pleroma nick@domain that you wish to block" 8 60 "" 2>$data sel=$? case $sel in 0) @@ -1933,7 +1938,7 @@ function domain_blocking_add { dialog --title $"Block a domain" \ --msgbox $"The domain $blocked_domain has been blocked" 6 40 else - dialog --title $"Block a GNU Social/postActiv nickname" \ + dialog --title $"Block a GNU Social/postActiv/Pleroma nickname" \ --msgbox $"$blocked_domain has been blocked" 6 40 fi fi diff --git a/src/freedombone-image b/src/freedombone-image index 467ee87b..53a2535a 100755 --- a/src/freedombone-image +++ b/src/freedombone-image @@ -547,7 +547,7 @@ if [[ $VARIANT == 'meshclient' || $VARIANT == 'meshusb' ]]; then fi if [ ! $IMAGE_SIZE_SPECIFIED ]; then - IMAGE_SIZE=7.9G + IMAGE_SIZE=15.0G fi fi diff --git a/src/freedombone-restore-local b/src/freedombone-restore-local index bceae807..62e1e3a9 100755 --- a/src/freedombone-restore-local +++ b/src/freedombone-restore-local @@ -13,7 +13,7 @@ # License # ======= # -# Copyright (C) 2015-2017 Bob Mottram +# Copyright (C) 2015-2018 Bob Mottram # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as published by @@ -464,6 +464,9 @@ function restore_gpg { if [ -d $temp_restore_dir/home/$USERNAME/.gnupg ]; then cp -r $temp_restore_dir/home/$USERNAME/.gnupg /home/$USERNAME/ else + if [ ! -d /home/$USERNAME/.gnupg ]; then + mkdir /home/$USERNAME/.gnupg + fi cp -r $temp_restore_dir/* /home/$USERNAME/.gnupg/ fi if [ ! "$?" = "0" ]; then @@ -543,6 +546,9 @@ function restore_spamassassin { if [ -d $temp_restore_dir/home/$USERNAME ]; then cp -rf $temp_restore_dir/home/$USERNAME/.spamassassin /home/$USERNAME/ else + if [ ! -d /home/$USERNAME/.spamassassin ]; then + mkdir /home/$USERNAME/.spamassassin + fi cp -rf $temp_restore_dir/* /home/$USERNAME/.spamassassin/ fi if [ ! "$?" = "0" ]; then @@ -611,6 +617,9 @@ function restore_user_ssh_keys { if [ -d $temp_restore_dir/home/$USERNAME/.ssh ]; then cp -r $temp_restore_dir/home/$USERNAME/.ssh /home/$USERNAME/ else + if [ ! -d /home/$USERNAME/.ssh ]; then + mkdir /home/$USERNAME/.ssh + fi cp -r $temp_restore_dir/* /home/$USERNAME/.ssh/ fi if [ ! "$?" = "0" ]; then @@ -644,6 +653,9 @@ function restore_user_config { if [ -d $temp_restore_dir/home/$USERNAME/.config ]; then cp -r $temp_restore_dir/home/$USERNAME/.config /home/$USERNAME/ else + if [ ! -d /home/$USERNAME/.config ]; then + mkdir /home/$USERNAME/.config + fi cp -r $temp_restore_dir/* /home/$USERNAME/.config/ fi if [ ! "$?" = "0" ]; then @@ -677,6 +689,9 @@ function restore_user_monkeysphere { if [ -d $temp_restore_dir/home/$USERNAME/.monkeysphere ]; then cp -r $temp_restore_dir/home/$USERNAME/.monkeysphere /home/$USERNAME/ else + if [ ! -d /home/$USERNAME/.monkeysphere ]; then + mkdir /home/$USERNAME/.monkeysphere + fi cp -r $temp_restore_dir/* /home/$USERNAME/.monkeysphere fi if [ ! "$?" = "0" ]; then @@ -718,6 +733,9 @@ function restore_user_fin { if [ -d $temp_restore_dir/home/$USERNAME/.fin ]; then cp -r $temp_restore_dir/home/$USERNAME/.fin /home/$USERNAME/ else + if [ ! -d /home/$USERNAME/.fin ]; then + mkdir /home/$USERNAME/.fin + fi cp -r $temp_restore_dir/* /home/$USERNAME/.fin/ fi if [ ! "$?" = "0" ]; then @@ -751,6 +769,9 @@ function restore_user_local { if [ -d $temp_restore_dir/home/$USERNAME/.local ]; then cp -r $temp_restore_dir/home/$USERNAME/.local /home/$USERNAME/ else + if [ ! -d /home/$USERNAME/.local ]; then + mkdir /home/$USERNAME/.local + fi cp -r $temp_restore_dir/* /home/$USERNAME/.local/ fi if [ ! "$?" = "0" ]; then @@ -837,6 +858,9 @@ function restore_personal_settings { if [ -d $temp_restore_dir/home/$USERNAME/personal ]; then mv $temp_restore_dir/home/$USERNAME/personal /home/$USERNAME else + if [ ! -d /home/$USERNAME/personal ]; then + mkdir /home/$USERNAME/personal + fi cp -r $temp_restore_dir/* /home/$USERNAME/personal/ fi if [ ! "$?" = "0" ]; then diff --git a/src/freedombone-restore-remote b/src/freedombone-restore-remote index e6a448dc..b7d55782 100755 --- a/src/freedombone-restore-remote +++ b/src/freedombone-restore-remote @@ -13,7 +13,7 @@ # License # ======= # -# Copyright (C) 2015-2017 Bob Mottram +# Copyright (C) 2015-2018 Bob Mottram # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as published by @@ -419,6 +419,9 @@ function restore_gpg { if [ -d ${temp_restore_dir}/home/$USERNAME/.gnupg ]; then cp -r ${temp_restore_dir}/home/$USERNAME/.gnupg /home/$USERNAME/ else + if [ ! -d /home/$USERNAME/.gnupg ]; then + mkdir /home/$USERNAME/.gnupg + fi cp -r ${temp_restore_dir}/* /home/$USERNAME/.gnupg/ fi if [ ! "$?" = "0" ]; then @@ -488,6 +491,9 @@ function restore_spamassassin { if [ -d $temp_restore_dir/home/$USERNAME ]; then cp -rf $temp_restore_dir/home/$USERNAME/.spamassassin /home/$USERNAME/ else + if [ ! -d /home/$USERNAME/.spamassassin ]; then + mkdir /home/$USERNAME/.spamassassin + fi cp -rf $temp_restore_dir/* /home/$USERNAME/.spamassassin/ fi if [ ! "$?" = "0" ]; then @@ -542,6 +548,9 @@ function restore_ssh_keys { if [ -d $temp_restore_dir/home/$USERNAME/.ssh ]; then cp -r $temp_restore_dir/home/$USERNAME/.ssh /home/$USERNAME/ else + if [ ! -d /home/$USERNAME/.ssh ]; then + mkdir /home/$USERNAME/.ssh + fi cp -r $temp_restore_dir/* /home/$USERNAME/.ssh/ fi if [ ! "$?" = "0" ]; then @@ -573,6 +582,9 @@ function restore_user_config { if [ -d $temp_restore_dir/home/$USERNAME ]; then cp -r $temp_restore_dir/home/$USERNAME/.config /home/$USERNAME/ else + if [ ! -d /home/$USERNAME/.config ]; then + mkdir /home/$USERNAME/.config + fi cp -r $temp_restore_dir/* /home/$USERNAME/.config/ fi if [ ! "$?" = "0" ]; then @@ -604,6 +616,9 @@ function restore_user_monkeysphere { if [ -d $temp_restore_dir/home/$USERNAME/.monkeysphere ]; then cp -r $temp_restore_dir/home/$USERNAME/.monkeysphere /home/$USERNAME/ else + if [ ! -d /home/$USERNAME/.monkeysphere ]; then + mkdir /home/$USERNAME/.monkeysphere + fi cp -r $temp_restore_dir/* /home/$USERNAME/.monkeysphere/ fi if [ ! "$?" = "0" ]; then @@ -643,6 +658,9 @@ function restore_user_fin { if [ -d $temp_restore_dir/home/$USERNAME/.fin ]; then cp -r $temp_restore_dir/home/$USERNAME/.fin /home/$USERNAME/ else + if [ ! -d /home/$USERNAME/.fin ]; then + mkdir /home/$USERNAME/.fin + fi cp -r $temp_restore_dir/* /home/$USERNAME/.fin/ fi if [ ! "$?" = "0" ]; then @@ -674,6 +692,9 @@ function restore_user_local { if [ -d $temp_restore_dir/home/$USERNAME/.local ]; then cp -r $temp_restore_dir/home/$USERNAME/.local /home/$USERNAME/ else + if [ ! -d /home/$USERNAME/.local ]; then + mkdir /home/$USERNAME/.local + fi cp -r $temp_restore_dir/* /home/$USERNAME/.local/ fi if [ ! "$?" = "0" ]; then @@ -754,6 +775,9 @@ function restore_personal_settings { fi mv $temp_restore_dir/home/$USERNAME/personal /home/$USERNAME else + if [ ! -d /home/$USERNAME/personal ]; then + mkdir /home/$USERNAME/personal + fi cp -r $temp_restore_dir/* /home/$USERNAME/personal/ fi if [ ! "$?" = "0" ]; then diff --git a/src/freedombone-utils-firewall b/src/freedombone-utils-firewall index eee348c0..733278fd 100755 --- a/src/freedombone-utils-firewall +++ b/src/freedombone-utils-firewall @@ -547,6 +547,9 @@ function firewall_block_domain { if [ -f /usr/bin/postactiv-firewall ]; then /usr/bin/postactiv-firewall fi + if [ -f /usr/bin/pleroma-blocking ]; then + /usr/bin/pleroma-blocking + fi fi } diff --git a/src/freedombone-utils-mesh b/src/freedombone-utils-mesh index 504bd52e..84742a41 100755 --- a/src/freedombone-utils-mesh +++ b/src/freedombone-utils-mesh @@ -107,12 +107,12 @@ function mesh_protocol_init { fi } -function get_ipv4_wlan { - echo $(ip -o -f inet addr show dev "$IFACE" | awk '{print $4}' | awk 'END {print}' | awk -F '/' '{print $1}') +function get_ipv6_wlan { + echo $(ifconfig ${IFACE} | grep inet6 | awk -F ' ' '{print $2}') } function mesh_hotspot_ip_address { - echo $(ip -o -f inet addr show dev "${BRIDGE}" | awk '{print $4}' | awk 'END {print}' | awk -F '/' '{print $1}') + echo $(ifconfig ${BRIDGE} | grep inet6 | awk -F ' ' '{print $2}') } function global_rate_limit { @@ -368,7 +368,7 @@ function enable_mesh_scuttlebot { if [ -f /etc/scuttlebot/.ssb/config ]; then ethernet_connected=$(cat /sys/class/net/eth0/carrier) if [[ "$ethernet_connected" != "0" ]]; then - sed -i "s|\"host\": .*|\"host\": \"$(get_ipv4_wlan)\",|g" /etc/scuttlebot/.ssb/config + sed -i "s|\"host\": .*|\"host\": \"$(get_ipv6_wlan)\",|g" /etc/scuttlebot/.ssb/config systemctl restart scuttlebot else if [ ! -f /etc/nginx/sites-available/git_ssb ]; then diff --git a/src/freedombone-utils-ssh b/src/freedombone-utils-ssh index 67367b7b..8fed11f8 100755 --- a/src/freedombone-utils-ssh +++ b/src/freedombone-utils-ssh @@ -59,8 +59,8 @@ function configure_ssh { if ! grep -q 'HostbasedAuthentication' /etc/ssh/sshd_config; then echo 'HostbasedAuthentication no' >> /etc/ssh/sshd_config fi - sed 's|#HostbasedAuthentication.*|HostbasedAuthentication no|g' /etc/ssh/sshd_config - sed 's|HostbasedAuthentication.*|HostbasedAuthentication no|g' /etc/ssh/sshd_config + sed -i 's|#HostbasedAuthentication.*|HostbasedAuthentication no|g' /etc/ssh/sshd_config + sed -i 's|HostbasedAuthentication.*|HostbasedAuthentication no|g' /etc/ssh/sshd_config sed -i 's|#PrintLastLog.*|PrintLastLog yes|g' /etc/ssh/sshd_config sed -i 's|PrintLastLog.*|PrintLastLog yes|g' /etc/ssh/sshd_config sed -i 's|#IgnoreRhosts.*|IgnoreRhosts yes|g' /etc/ssh/sshd_config diff --git a/src/freedombone-utils-web b/src/freedombone-utils-web index c47ff87f..77abec99 100755 --- a/src/freedombone-utils-web +++ b/src/freedombone-utils-web @@ -756,81 +756,85 @@ function configure_firewall_for_web_access { function update_default_domain { echo $'Updating default domain' if [[ $ONION_ONLY == 'no' ]]; then - if [ -d /etc/prosody ]; then - if [ -f /etc/mumble-server.ini ]; then - if [ ! -f /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem ]; then - if ! grep -q "mumble.pem" /etc/mumble-server.ini; then - sed -i 's|sslCert=.*|sslCert=/var/lib/mumble-server/mumble.pem|g' /etc/mumble-server.ini - sed -i 's|sslKey=.*|sslKey=/var/lib/mumble-server/mumble.key|g' /etc/mumble-server.ini - systemctl restart mumble - fi - else - if ! grep -q "${DEFAULT_DOMAIN_NAME}.pem" /etc/mumble-server.ini; then - usermod -a -G ssl-cert mumble-server - sed -i "s|sslCert=.*|sslCert=/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem|g" /etc/mumble-server.ini - sed -i "s|sslKey=.*|sslKey=/etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key|g" /etc/mumble-server.ini - systemctl restart mumble - fi + if [ -f /etc/mumble-server.ini ]; then + if [ ! -f /etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem ]; then + if ! grep -q "mumble.pem" /etc/mumble-server.ini; then + sed -i 's|sslCert=.*|sslCert=/var/lib/mumble-server/mumble.pem|g' /etc/mumble-server.ini + sed -i 's|sslKey=.*|sslKey=/var/lib/mumble-server/mumble.key|g' /etc/mumble-server.ini + systemctl restart mumble + fi + else + if ! grep -q "${DEFAULT_DOMAIN_NAME}/fullchain.pem" /etc/mumble-server.ini; then + usermod -a -G ssl-cert mumble-server + sed -i "s|sslCert=.*|sslCert=/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/mumble-server.ini + sed -i "s|sslKey=.*|sslKey=/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem|g" /etc/mumble-server.ini + systemctl restart mumble fi fi + fi + if [ -d /etc/prosody ]; then if [ ! -d /etc/prosody/certs ]; then mkdir /etc/prosody/certs fi cp /etc/ssl/private/xmpp* /etc/prosody/certs cp /etc/ssl/certs/xmpp* /etc/prosody/certs - if [ /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem ]; then + if [ -f /etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem ]; then usermod -a -G ssl-cert prosody if grep -q "/etc/prosody/certs/xmpp.key" /etc/prosody/conf.avail/xmpp.cfg.lua; then - sed -i "s|/etc/prosody/certs/xmpp.key|/etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key|g" /etc/prosody/conf.avail/xmpp.cfg.lua + sed -i "s|/etc/prosody/certs/xmpp.key|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem|g" /etc/prosody/conf.avail/xmpp.cfg.lua fi if grep -q "/etc/prosody/certs/xmpp.crt" /etc/prosody/conf.avail/xmpp.cfg.lua; then - sed -i "s|/etc/prosody/certs/xmpp.crt|/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem|g" /etc/prosody/conf.avail/xmpp.cfg.lua + sed -i "s|/etc/prosody/certs/xmpp.crt|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/prosody/conf.avail/xmpp.cfg.lua fi if grep -q "/etc/prosody/certs/xmpp.key" /etc/prosody/prosody.cfg.lua; then - sed -i "s|/etc/prosody/certs/xmpp.key|/etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key|g" /etc/prosody/prosody.cfg.lua + sed -i "s|/etc/prosody/certs/xmpp.key|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem|g" /etc/prosody/prosody.cfg.lua fi if grep -q "/etc/prosody/certs/xmpp.crt" /etc/prosody/prosody.cfg.lua; then - sed -i "s|/etc/prosody/certs/xmpp.crt|/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem|g" /etc/prosody/prosody.cfg.lua + sed -i "s|/etc/prosody/certs/xmpp.crt|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/prosody/prosody.cfg.lua fi - fi - if grep -q "/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key" /etc/prosody/conf.avail/xmpp.cfg.lua; then - sed -i "s|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key|/etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key|g" /etc/prosody/conf.avail/xmpp.cfg.lua - fi + if grep -q "/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key" /etc/prosody/conf.avail/xmpp.cfg.lua; then + sed -i "s|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem|g" /etc/prosody/conf.avail/xmpp.cfg.lua + fi - if grep -q "/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem" /etc/prosody/conf.avail/xmpp.cfg.lua; then - sed -i "s|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem|/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem|g" /etc/prosody/conf.avail/xmpp.cfg.lua - fi + if grep -q "/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem" /etc/prosody/conf.avail/xmpp.cfg.lua; then + sed -i "s|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/prosody/conf.avail/xmpp.cfg.lua + fi - if grep -q "/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key" /etc/prosody/prosody.cfg.lua; then - sed -i "s|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key|/etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key|g" /etc/prosody/prosody.cfg.lua - fi + if grep -q "/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key" /etc/prosody/prosody.cfg.lua; then + sed -i "s|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem|g" /etc/prosody/prosody.cfg.lua + fi - if grep -q "/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem" /etc/prosody/prosody.cfg.lua; then - sed -i "s|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem|/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem|g" /etc/prosody/prosody.cfg.lua + if grep -q "/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem" /etc/prosody/prosody.cfg.lua; then + sed -i "s|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.pem|/etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem|g" /etc/prosody/prosody.cfg.lua + fi fi chown -R prosody:default /etc/prosody chmod -R 700 /etc/prosody/certs/* chmod 600 /etc/prosody/prosody.cfg.lua - cp -r $INSTALL_DIR/prosody-modules/* /var/lib/prosody/prosody-modules/ + if [ -d $INSTALL_DIR/prosody-modules ]; then + cp -r $INSTALL_DIR/prosody-modules/* /var/lib/prosody/prosody-modules/ + cp -r $INSTALL_DIR/prosody-modules/* /usr/lib/prosody/modules/ + fi chown -R prosody:prosody /var/lib/prosody/prosody-modules + chown -R prosody:prosody /usr/lib/prosody/modules systemctl reload prosody fi if [ -d /home/znc/.znc ]; then echo $'znc found' - if [[ "$(cert_exists ${DEFAULT_DOMAIN_NAME} pem)" == "1" ]]; then + if [ -f /etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem ]; then pkill znc cat /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem /etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key > /home/znc/.znc/znc.pem chown znc:znc /home/znc/.znc/znc.pem chmod 700 /home/znc/.znc/znc.pem - sed -i "s|CertFile =.*|CertFile = /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" /etc/ngircd/ngircd.conf + sed -i "s|CertFile =.*|CertFile = /etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem" /etc/ngircd/ngircd.conf sed -i "s|DHFile =.*|DHFile = /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.dhparam" /etc/ngircd/ngircd.conf - sed -i "s|KeyFile =.*|KeyFile = /etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key" /etc/ngircd/ngircd.conf + sed -i "s|KeyFile =.*|KeyFile = /etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/privkey.pem" /etc/ngircd/ngircd.conf echo $'irc certificates updated' systemctl restart ngircd @@ -839,16 +843,17 @@ function update_default_domain { fi if [ ${#DEFAULT_DOMAIN_NAME} -gt 0 ]; then - if [ -f /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem ]; then + if [ -f /etc/letsencrypt/live/${DEFAULT_DOMAIN_NAME}/fullchain.pem ]; then if [ -d /etc/dovecot ]; then - if ! grep -q "ssl_cert = - + - + -
-

Text chat

-
+
+

Text chat

+

In addition to voice it is also possible to do text chat via mumble. The security of this is pretty good provided that you do it via Plumble and Orbot on mobile, but compared to other options such as XMPP/Conversations or Tox the security is not as good, since the mumble server currently doesn't support forward secrecy.

-
-

Using with Ubuntu

-
+
+

Using with Ubuntu

+

First ensure that tor is installed. Within a terminal:

@@ -298,9 +299,9 @@ Click on "add new" to add a new server and enter the default domain name
-
-

Using with Android

-
+
+

Using with Android

+

Install F-Droid

@@ -318,11 +319,11 @@ Press the plus button to add a Mumble server.

-Enter a label (which can be any name you choose for the server), the default domain name of the Freedombone or preferably the mumble onion address as shown on the About screen of the Administrator control panel, your username (which can also be anything) and the mumble password which can be found in the Passwords section of the Administrator control panel. +Enter a label (which can be any name you choose for the server), the default domain name of the Freedombone or preferably the mumble onion address as shown on the About screen of the Administrator control panel, your username (which can also be anything) and the mumble password which can be found in the Passwords section of the Administrator control panel. Leave the port number unchanged.

-Open the settings. Select General, then Connect via Tor. This will provide better protection, making it more difficult for adversaries to know who is talking to who. +Open the settings. Select General, then Connect via Tor. This will provide better protection, making it more difficult for adversaries to know who is talking to who. If connecting through Tor is unreliable and causes crashes then unselect Connect via Tor on the General settings and then just use your ordinary domain name.

diff --git a/website/EN/fediverse.html b/website/EN/fediverse.html index e11db16d..4245fcd9 100644 --- a/website/EN/fediverse.html +++ b/website/EN/fediverse.html @@ -3,10 +3,10 @@ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> - + - + -

-

Keep the number of users on each server small

-
+
+

Keep the number of users on each server small

+

The importance of this can't be overstated. Servers with lots of users always eventually have problems where the interests of the users are not the same as the interests of the server administrator. If you are the server administrator, or if there are only a small squad-size group of people on the server, then it's a lot easier to resolve differences and everyone's interests are likely to be similar.

-
-

Drama will happen

-
+
+

Drama will happen

+

It's inevitable in any social network, but fortunately your options for dealing with it are better than they are in the giant proprietary monoliths. In the proprietary world Google or Facebook don't give a damn about the fate of individual users. On a server with a small number of users if you're getting griefed then the administrator is likely to care and be able to do something about it.

-
-

Don't be afraid to block

-
+
+

Don't be afraid to block

+

Especially if other servers are publishing content which may not be legal in your jurisdiction then don't be afraid to use domain or user blocking from the Administrator control panel. The same applies if users on other servers are trying to harass you. Blocking creates politics and drama but this is a feature not a bug. It allows you to craft your own distinct community and user experience while also existing in the wider federation. It's hard to do this on sites like Twitter or Facebook. Try to keep blocking to a minimum though and avoid doing it for insubstantial reasons. If you have other users on your server then publish the blocked domains list somewhere they can see. That avoids disappointment and enables you to have a discussion about the validity of blocking decisions.

-
-

Network structure maps on to social structure

-
+
+

Network structure maps on to social structure

+

Over time follows and blocking rules come to match the underlying social geography of affinity groups. Blocking will happen and users will move around or start new servers. Drama related to blocking will dissipate.

-
-

Keep your follows under the Dunbar number

-
+
+

Keep your follows under the Dunbar number

+

Keep the number of other users you're following and who are also active to under a couple of hundred. Any more than that and you'll just be overwhelmed by irrelevant stuff and whatever community you may have been part of will dissolve in a sea of entropy. There are no algorithmic timelines, and even if they're introduced then they create their own problems as an opaque form of censorship. Real community happens at tribal scale. It's something which people often don't like to admit because they get fixated upon bigger and bigger numbers, but it definitely seems to be true.

-
-

Avoid big public servers

-
+
+

Avoid big public servers

+

It may seem like a good idea and it may seem like you're doing a service to the community by allowing random strangers to register, but servers with thousands of users only cause problems - social, administrative, financial and possibly also legal. The financial strain of running a powerful server with high reliability may be enough to encourage the administrator to begin pushing advertising onto the system, or sell user content, and then before you know it you have identical problems to Twitter. Instead try to encourage people to set up their own servers. Follow this principle and a lot of arguments and stress will be more easily avoided.

@@ -308,7 +308,7 @@ It may seem like a good idea and it may seem like you're doing a service to the

-This site can also be accessed via a Tor browser at http://pazyv7nkllp76hqr.onion. This documentation is under the GNU Free Documentation License version 1.3 +This site can also be accessed via a Tor browser at http://7ec7btgr6m7c5r3h.onion. This documentation is under the GNU Free Documentation License version 1.3

diff --git a/website/EN/homeserver.html b/website/EN/homeserver.html index 830e21e3..c23e21ca 100644 --- a/website/EN/homeserver.html +++ b/website/EN/homeserver.html @@ -3,7 +3,7 @@ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> - + @@ -478,7 +478,7 @@ Of course, this is just one way in which you can install the Freedombone system.

-This site can also be accessed via a Tor browser at http://pazyv7nkllp76hqr.onion +This site can also be accessed via a Tor browser at http://7ec7btgr6m7c5r3h.onion

diff --git a/website/EN/index.html b/website/EN/index.html index 7f318fc3..0ccd9e0a 100644 --- a/website/EN/index.html +++ b/website/EN/index.html @@ -3,7 +3,7 @@ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> - + @@ -299,7 +299,7 @@ Ready made disk images which can be copied onto USB or microSD drives are

-This site can also be accessed via a Tor browser at http://pazyv7nkllp76hqr.onion. This documentation is under the GNU Free Documentation License version 1.3 +This site can also be accessed via a Tor browser at http://7ec7btgr6m7c5r3h.onion. This documentation is under the GNU Free Documentation License version 1.3

diff --git a/website/EN/mesh.html b/website/EN/mesh.html index 58f38425..d285f24e 100644 --- a/website/EN/mesh.html +++ b/website/EN/mesh.html @@ -3,7 +3,7 @@ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> - + @@ -284,7 +284,7 @@ Like LibreMesh, this system uses a combinati

-This site can also be accessed via a Tor browser at http://pazyv7nkllp76hqr.onion +This site can also be accessed via a Tor browser at http://7ec7btgr6m7c5r3h.onion

diff --git a/website/EN/mesh_images.html b/website/EN/mesh_images.html index 381f16bb..f4f8bf04 100644 --- a/website/EN/mesh_images.html +++ b/website/EN/mesh_images.html @@ -3,7 +3,7 @@ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> - + @@ -246,13 +246,13 @@ for the JavaScript code in this tag.

Mesh Network: Images

-
-

Pre-built Disk Images

-
+
+

Pre-built Disk Images

+
-
-

Writing many images quickly

-
+
+

Writing many images quickly

+

There may be situations where you need to write the same disk image to multiple drives at the same time in order to maximize rate of deployment. In the instructions given below the dd command is used for writing to the target drive, but to write to multiple drives you can use a tool such as GNOME MultiWriter.

@@ -280,9 +280,9 @@ The MultiWriter tool is also available within mesh client images, so that you ca

-
-

Client images

-
+
+

Client images

+
@@ -292,7 +292,7 @@ The MultiWriter tool is also available within mesh client images, so that you ca

-"Client" isn't exactly the right term, but it's a mesh peer with a user interface. These images can be copied to a USB drive, then you can plug it into a laptop/netbook/desktop machine and boot from it. You will probably also need an Atheros USB wifi dongle (the black protruding object on the left side of the netbook in the picture above), because most built-in wifi usually requires proprietary firmware. In the commands below substitute /dev/sdX with the USB drive device, excluding any trailing numbers (eg. /dev/sdb). The USB drive you're copying to will need to be at least 8GB in size. +"Client" isn't exactly the right term, but it's a mesh peer with a user interface. These images can be copied to a USB drive, then you can plug it into a laptop/netbook/desktop machine and boot from it. You will probably also need an Atheros USB wifi dongle (the black protruding object on the left side of the netbook in the picture above), because most built-in wifi usually requires proprietary firmware. In the commands below substitute /dev/sdX with the USB drive device, excluding any trailing numbers (eg. /dev/sdb). The USB drive you're copying to will need to be at least 16GB in size.

@@ -331,16 +331,16 @@ sudo dd bs=1M -

Router images

-
+
+

Router images

+

Routers are intended to build network coverage for an area using small and low cost hardware. You can bolt them to walls or leave them on window ledges. They don't have any user interface and their only job is to haul network traffic across the mesh and to enable peers to find each other via running bootstrap nodes for Tox and IPFS. Copy the image to a microSD card and insert it into the router, plug in an Atheros wifi dongle and power on. That should be all you need to do.

-
-

Beaglebone Black

-
+
+

Beaglebone Black

+
@@ -377,9 +377,9 @@ There is still a software freedom issue with the Beaglebone Black, but it doesn'
-
-

Building Disk Images

-
+
+

Building Disk Images

+

It's better not to trust images downloaded from random places on the interwebs. Chances are that unless you are in the web of trust of the above GPG signatures then they don't mean very much to you. If you actually want something trustworthy then build the images from scratch. It will take some time. Here's how to do it.

diff --git a/website/EN/support.html b/website/EN/support.html index 3a8439d1..3f6f385a 100644 --- a/website/EN/support.html +++ b/website/EN/support.html @@ -3,10 +3,10 @@ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> - + - + Support -
-

Contact details

-
+
+

Contact details

+

-This site can also be accessed via a Tor browser at http://pazyv7nkllp76hqr.onion +This site can also be accessed via a Tor browser at http://7ec7btgr6m7c5r3h.onion

@@ -260,11 +260,7 @@ This site can also be accessed via a Tor browser at

-
-

Things which would be nice to have

-
+