From 27782986076a3a32de1fef03b99649152d7a83f6 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Sun, 1 Jan 2017 20:40:08 +0000
Subject: [PATCH] Reorganize matrix

---
 src/freedombone-app-matrix | 218 ++++++++++++++++++-------------------
 src/freedombone-utils-turn |  77 ++++++++++++-
 src/freedombone-utils-web  |  97 +++++++++++++++++
 3 files changed, 276 insertions(+), 116 deletions(-)

diff --git a/src/freedombone-app-matrix b/src/freedombone-app-matrix
index f3995a8f..08e95bef 100755
--- a/src/freedombone-app-matrix
+++ b/src/freedombone-app-matrix
@@ -36,8 +36,12 @@ IN_DEFAULT_INSTALL=0
 SHOW_ON_ABOUT=1
 
 MATRIX_DATA_DIR='/var/lib/matrix'
+MATRIX_HTTP_PORT=8558
+MATRIX_ID_HTTP_PORT=8557
 MATRIX_PORT=8448
 MATRIX_ID_PORT=8081
+MATRIX_ONION_PORT=8109
+MATRIX_ID_ONION_PORT=8111
 MATRIX_REPO="https://github.com/matrix-org/synapse"
 MATRIX_COMMIT='f5a4001bb116c468cc5e8e0ae04a1c570e2cb171'
 SYDENT_REPO="https://github.com/matrix-org/sydent"
@@ -51,124 +55,115 @@ matrix_variables=(ONION_ONLY
                   DEFAULT_DOMAIN_NAME)
 
 function matrix_nginx {
-    matrix_identityserver_proxy_str=' \
-    location /_matrixid { \
-        proxy_pass http://localhost:8081; \
-        proxy_set_header X-Forwarded-For $remote_addr; \
-    }'
-    matrix_proxy_str=' \
-    location /_matrix { \
-        proxy_pass https://localhost:8448; \
-        proxy_set_header X-Forwarded-For $remote_addr; \
-    }'
-    turn_proxy_str=' \
-    location /_turn { \
-        proxy_pass https://localhost:3478; \
-        proxy_set_header X-Forwarded-For $remote_addr; \
-    }'
+    create_default_web_site
 
-    if [[ $ONION_ONLY != 'no' ]]; then
-        matrix_proxy_str=' \
-    location /_matrix { \
-        proxy_pass http://localhost:8448; \
-        proxy_set_header X-Forwarded-For $remote_addr; \
-    }'
-        turn_proxy_str=' \
-    location /_turn { \
-        proxy_pass http://localhost:3478; \
-        proxy_set_header X-Forwarded-For $remote_addr; \
-    }'
-    fi
-
-    if [ ! -f /etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME} ]; then
-        matrix_nginx_site=/etc/nginx/sites-available/$DEFAULT_DOMAIN_NAME
-        if [[ $ONION_ONLY == "no" ]]; then
-            function_check nginx_http_redirect
-            nginx_http_redirect $DEFAULT_DOMAIN_NAME
-            echo 'server {' >> $matrix_nginx_site
-            echo '  listen 443 ssl;' >> $matrix_nginx_site
-            echo '  listen [::]:443 ssl;' >> $matrix_nginx_site
-            echo "  server_name $DEFAULT_DOMAIN_NAME;" >> $matrix_nginx_site
-            echo '' >> $matrix_nginx_site
-            echo '  # Security' >> $matrix_nginx_site
-            function_check nginx_ssl
-            nginx_ssl $DEFAULT_DOMAIN_NAME
-
-            function_check nginx_disable_sniffing
-            nginx_disable_sniffing $DEFAULT_DOMAIN_NAME
-
-            echo '  add_header Strict-Transport-Security max-age=15768000;' >> $matrix_nginx_site
-            echo '' >> $matrix_nginx_site
-            echo '  # Logs' >> $matrix_nginx_site
-            echo '  access_log /dev/null;' >> $matrix_nginx_site
-            echo '  error_log /dev/null;' >> $matrix_nginx_site
-            echo '' >> $matrix_nginx_site
-            echo '  # Root' >> $matrix_nginx_site
-            echo "  root /var/www/$DEFAULT_DOMAIN_NAME/htdocs;" >> $matrix_nginx_site
-            echo '' >> $matrix_nginx_site
-            echo '  # Index' >> $matrix_nginx_site
-            echo '  index index.html;' >> $matrix_nginx_site
-            echo '' >> $matrix_nginx_site
-            echo '  # Location' >> $matrix_nginx_site
-            echo '  location / {' >> $matrix_nginx_site
-            function_check nginx_limits
-            nginx_limits $DEFAULT_DOMAIN_NAME '15m'
-            echo '  }' >> $matrix_nginx_site
-            echo '' >> $matrix_nginx_site
-            echo '  # Restrict access that is unnecessary anyway' >> $matrix_nginx_site
-            echo '  location ~ /\.(ht|git) {' >> $matrix_nginx_site
-            echo '    deny all;' >> $matrix_nginx_site
-            echo '  }' >> $matrix_nginx_site
-            echo '}' >> $matrix_nginx_site
-        else
-            echo -n '' > $matrix_nginx_site
-        fi
+    # append the matrix server to the web site config
+    matrix_nginx_site=/etc/nginx/sites-available/$DEFAULT_DOMAIN_NAME
+    if [[ $ONION_ONLY == "no" ]]; then
+        echo '# Matrix Server' >> $matrix_nginx_site
         echo 'server {' >> $matrix_nginx_site
-        echo "    listen 127.0.0.1:$MATRIX_PORT default_server;" >> $matrix_nginx_site
-        echo "    server_name $DEFAULT_DOMAIN_NAME;" >> $matrix_nginx_site
+        echo "  listen ${MATRIX_HTTP_PORT} ssl;" >> $matrix_nginx_site
+        echo '  listen [::]:${MATRIX_HTTP_PORT} ssl;' >> $matrix_nginx_site
+        echo "  server_name ${DEFAULT_DOMAIN_NAME};" >> $matrix_nginx_site
         echo '' >> $matrix_nginx_site
+        echo '  # Security' >> $matrix_nginx_site
+        function_check nginx_ssl
+        nginx_ssl ${DEFAULT_DOMAIN_NAME}
+
         function_check nginx_disable_sniffing
-        nginx_disable_sniffing $DEFAULT_DOMAIN_NAME
+        nginx_disable_sniffing ${DEFAULT_DOMAIN_NAME}
+
+        echo '  add_header Strict-Transport-Security max-age=15768000;' >> $matrix_nginx_site
         echo '' >> $matrix_nginx_site
         echo '  # Logs' >> $matrix_nginx_site
         echo '  access_log /dev/null;' >> $matrix_nginx_site
         echo '  error_log /dev/null;' >> $matrix_nginx_site
         echo '' >> $matrix_nginx_site
-        echo '  # Root' >> $matrix_nginx_site
-        echo "  root /var/www/$DEFAULT_DOMAIN_NAME/htdocs;" >> $matrix_nginx_site
+        echo '  # Index' >> $matrix_nginx_site
+        echo '  index index.html;' >> $matrix_nginx_site
         echo '' >> $matrix_nginx_site
         echo '  # Location' >> $matrix_nginx_site
         echo '  location / {' >> $matrix_nginx_site
         function_check nginx_limits
-        nginx_limits $DEFAULT_DOMAIN_NAME '15m'
-        echo '  }' >> $matrix_nginx_site
-        echo '' >> $matrix_nginx_site
-        echo '  # Restrict access that is unnecessary anyway' >> $matrix_nginx_site
-        echo '  location ~ /\.(ht|git) {' >> $matrix_nginx_site
-        echo '    deny all;' >> $matrix_nginx_site
+        nginx_limits ${DEFAULT_DOMAIN_NAME} '15m'
+        echo "      proxy_pass http://localhost:${MATRIX_PORT};" >> $matrix_nginx_site
+        echo '      proxy_set_header X-Forwarded-For $remote_addr;' >> $matrix_nginx_site
         echo '  }' >> $matrix_nginx_site
         echo '}' >> $matrix_nginx_site
+        echo '' >> $matrix_nginx_site
+        echo 'server {' >> $matrix_nginx_site
+        echo "  listen ${MATRIX_ID_HTTP_PORT} ssl;" >> $matrix_nginx_site
+        echo '  listen [::]:${MATRIX_ID_HTTP_PORT} ssl;' >> $matrix_nginx_site
+        echo "  server_name ${DEFAULT_DOMAIN_NAME};" >> $matrix_nginx_site
+        echo '' >> $matrix_nginx_site
+        echo '  # Security' >> $matrix_nginx_site
+        function_check nginx_ssl
+        nginx_ssl ${DEFAULT_DOMAIN_NAME}
 
-        if [ ! -f /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem ]; then
-            function_check create_site_certificate
-            create_site_certificate $DEFAULT_DOMAIN_NAME 'yes'
-        fi
+        function_check nginx_disable_sniffing
+        nginx_disable_sniffing ${DEFAULT_DOMAIN_NAME}
 
-        nginx_ensite $DEFAULT_DOMAIN_NAME
-    fi
-
-    if ! grep "localhost:${MATRIX_ID_PORT}" /etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME}; then
-        sed -i "s|:443 ssl;|:443 ssl;${matrix_identityserver_proxy_str}|g" /etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME}
-        sed -i "s| default_server;| default_server;${matrix_identityserver_proxy_str}|g" /etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME}
-    fi
-    if ! grep "localhost:${MATRIX_PORT}" /etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME}; then
-        sed -i "s|:443 ssl;|:443 ssl;${matrix_proxy_str}|g" /etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME}
-        sed -i "s| default_server;| default_server;${matrix_proxy_str}|g" /etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME}
-    fi
-    if ! grep "localhost:${TURN_PORT}" /etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME}; then
-        sed -i "s|:443 ssl;|:443 ssl;${turn_proxy_str}|g" /etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME}
-        sed -i "s| default_server;| default_server;${turn_proxy_str}|g" /etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME}
+        echo '  add_header Strict-Transport-Security max-age=15768000;' >> $matrix_nginx_site
+        echo '' >> $matrix_nginx_site
+        echo '  # Logs' >> $matrix_nginx_site
+        echo '  access_log /dev/null;' >> $matrix_nginx_site
+        echo '  error_log /dev/null;' >> $matrix_nginx_site
+        echo '' >> $matrix_nginx_site
+        echo '  # Index' >> $matrix_nginx_site
+        echo '  index index.html;' >> $matrix_nginx_site
+        echo '' >> $matrix_nginx_site
+        echo '  # Location' >> $matrix_nginx_site
+        echo '  location / {' >> $matrix_nginx_site
+        function_check nginx_limits
+        nginx_limits ${DEFAULT_DOMAIN_NAME} '15m'
+        echo "      proxy_pass http://localhost:${MATRIX_ID_PORT};" >> $matrix_nginx_site
+        echo '      proxy_set_header X-Forwarded-For $remote_addr;' >> $matrix_nginx_site
+        echo '  }' >> $matrix_nginx_site
+        echo '}' >> $matrix_nginx_site
+        echo '' >> $matrix_nginx_site
+    else
+        echo '# Matrix Server' >> $matrix_nginx_site
     fi
+    echo 'server {' >> $matrix_nginx_site
+    echo "    listen 127.0.0.1:$MATRIX_ONION_PORT default_server;" >> $matrix_nginx_site
+    echo "    server_name $DEFAULT_DOMAIN_NAME;" >> $matrix_nginx_site
+    echo '' >> $matrix_nginx_site
+    function_check nginx_disable_sniffing
+    nginx_disable_sniffing $DEFAULT_DOMAIN_NAME
+    echo '' >> $matrix_nginx_site
+    echo '  # Logs' >> $matrix_nginx_site
+    echo '  access_log /dev/null;' >> $matrix_nginx_site
+    echo '  error_log /dev/null;' >> $matrix_nginx_site
+    echo '' >> $matrix_nginx_site
+    echo '  # Location' >> $matrix_nginx_site
+    echo '  location / {' >> $matrix_nginx_site
+    function_check nginx_limits
+    nginx_limits $DEFAULT_DOMAIN_NAME '15m'
+    echo "      proxy_pass http://localhost:${MATRIX_PORT};" >> $matrix_nginx_site
+    echo '      proxy_set_header X-Forwarded-For $remote_addr;' >> $matrix_nginx_site
+    echo '  }' >> $matrix_nginx_site
+    echo '}' >> $matrix_nginx_site
+    echo '' >> $matrix_nginx_site
+    echo 'server {' >> $matrix_nginx_site
+    echo "    listen 127.0.0.1:$MATRIX_ID_ONION_PORT default_server;" >> $matrix_nginx_site
+    echo "    server_name $DEFAULT_DOMAIN_NAME;" >> $matrix_nginx_site
+    echo '' >> $matrix_nginx_site
+    function_check nginx_disable_sniffing
+    nginx_disable_sniffing $DEFAULT_DOMAIN_NAME
+    echo '' >> $matrix_nginx_site
+    echo '  # Logs' >> $matrix_nginx_site
+    echo '  access_log /dev/null;' >> $matrix_nginx_site
+    echo '  error_log /dev/null;' >> $matrix_nginx_site
+    echo '' >> $matrix_nginx_site
+    echo '  # Location' >> $matrix_nginx_site
+    echo '  location / {' >> $matrix_nginx_site
+    function_check nginx_limits
+    nginx_limits $DEFAULT_DOMAIN_NAME '15m'
+    echo "      proxy_pass http://localhost:${MATRIX_ID_PORT};" >> $matrix_nginx_site
+    echo '      proxy_set_header X-Forwarded-For $remote_addr;' >> $matrix_nginx_site
+    echo '  }' >> $matrix_nginx_site
+    echo '}' >> $matrix_nginx_site
+    echo '# End of Matrix Server' >> $matrix_nginx_site
 
     systemctl restart nginx
     systemctl restart turn
@@ -207,7 +202,7 @@ function matrix_configure_homeserver_yaml {
 
     local ymltemp="$(mktemp)"
 
-    awk -v TURNURIES="turn_uris: [\"turn:${DEFAULT_DOMAIN_NAME}/_turn?transport=udp\", \"turn:${DEFAULT_DOMAIN_NAME}/_turn?transport=tcp\"]" \
+    awk -v TURNURIES="turn_uris: [\"turn:${DEFAULT_DOMAIN_NAME}:${TURN_HTTP_PORT}?transport=udp\", \"turn:${DEFAULT_DOMAIN_NAME}:${TURN_HTTP_PORT}?transport=tcp\"]" \
         -v TURNSHAREDSECRET="turn_shared_secret: \"${turnkey}\"" \
         -v PIDFILE="pid_file: ${MATRIX_DATA_DIR}/homeserver.pid" \
         -v DATABASE="database: \"${MATRIX_DATA_DIR}/homeserver.db\"" \
@@ -225,15 +220,14 @@ function matrix_configure_homeserver_yaml {
 
     mv ${ymltemp} "${filepath}"
 
-    if [[ $ONION_ONLY != 'no' ]]; then
-        sed -i 's|no_tls: .*|no_tls: True|g' "${filepath}"
-    fi
+    sed -i 's|no_tls: .*|no_tls: true|g' "${filepath}"
+    sed -i 's| tls: .*| tls: false|g' "${filepath}"
     sed -i 's|enable_registration_captcha.*|enable_registration_captcha: False|g' "${filepath}"
     sed -i "s|database: \".*|database: \"${MATRIX_DATA_DIR}/homeserver.db\"|g" "${filepath}"
     sed -i "s|media_store_path:.*|media_store_path: \"${MATRIX_DATA_DIR}/media_store\"|g" "${filepath}"
     sed -i "s|pid_file:.*|pid_file: \"${MATRIX_DATA_DIR}/homeserver.pid\"|g" "${filepath}"
     sed -i "s|log_file:.*|log_file: \"/dev/null\"|g" "${filepath}"
-    sed -i '0,/bind_address:.*/s//bind_address: 127.0.0.1/' "${filepath}"
+    sed -i 's|bind_address:.*|bind_address: 127.0.0.1|g' "${filepath}"
     sed -i '0,/x_forwarded:.*/s//x_forwarded: true/' "${filepath}"
     sed -i "s|server_name:.*|server_name: \"${DEFAULT_DOMAIN_NAME}\"|g" "${filepath}"
     sed -i "/trusted_third_party_id_servers:/a     - ${DEFAULT_DOMAIN_NAME}" "${filepath}"
@@ -473,6 +467,8 @@ function restore_remote_matrix {
 }
 
 function remove_matrix {
+    firewall_remove ${MATRIX_HTTP_PORT}
+
     systemctl stop matrix
     systemctl stop sydent
 
@@ -497,11 +493,10 @@ function remove_matrix {
     rm -rf /etc/sydent
     deluser matrix
     delgroup matrix
-    remove_onion_service matrix ${MATRIX_PORT}
+    remove_onion_service matrix ${MATRIX_ONION_PORT}
+    remove_onion_service matrix ${MATRIX_ID_ONION_PORT}
 
-    sed -i "/location \/_matrix {/,/}/d" /etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME}
-    sed -i "/location \/_matrixid {/,/}/d" /etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME}
-    sed -i "/location \/_turn {/,/}/d" /etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME}
+    sed -i "/# Matrix Server{/,/# End of Matrix Server/d" /etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME}
     systemctl restart nginx
 
     remove_completion_param install_matrix
@@ -644,7 +639,8 @@ function install_home_server {
     fi
     chmod -R 700 $MATRIX_DATA_DIR/homeserver.db
 
-    MATRIX_ONION_HOSTNAME=$(add_onion_service matrix ${MATRIX_PORT} ${MATRIX_PORT})
+    MATRIX_ONION_HOSTNAME=$(add_onion_service matrix ${MATRIX_PORT} ${MATRIX_ONION_PORT})
+    MATRIX_ID_ONION_HOSTNAME=$(add_onion_service matrixid ${MATRIX_ID_PORT} ${MATRIX_ID_ONION_PORT})
     if [ ! ${MATRIX_PASSWORD} ]; then
         if [ -f ${IMAGE_PASSWORD_FILE} ]; then
             MATRIX_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)"
@@ -653,6 +649,8 @@ function install_home_server {
         fi
     fi
 
+    firewall_add matrix ${MATRIX_HTTP_PORT}
+
     rm -rf ${MATRIX_DATA_DIR}/Maildir
     rm -rf ${MATRIX_DATA_DIR}/.mutt
     rm -f ${MATRIX_DATA_DIR}/.muttrc
diff --git a/src/freedombone-utils-turn b/src/freedombone-utils-turn
index 14c61a1a..ad99b2e4 100755
--- a/src/freedombone-utils-turn
+++ b/src/freedombone-utils-turn
@@ -29,6 +29,8 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 TURN_PORT=3478
+TURN_HTTP_PORT=3407
+TURN_ONION_PORT=8110
 
 function generate_turn_key {
     local turnkey="${1}"
@@ -45,11 +47,7 @@ function generate_turn_key {
 }
 
 function remove_turn {
-    firewall_remove ${TURN_PORT}
-}
-
-function remove_turn {
-    firewall_remove ${TURN_PORT}
+    firewall_remove ${TURN_HTTP_PORT}
     systemctl stop turn
     systemctl disable turn
     if [ -f /etc/systemd/system/turn.service ]; then
@@ -57,9 +55,72 @@ function remove_turn {
     fi
     apt-get -y remove coturn
     rm -rf /var/lib/turn
+    sed -i "/# TURN Server{/,/# End of TURN Server/d" /etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME}
+    remove_onion_service turn ${TURN_ONION_PORT}
+    systemctl restart nginx
 }
 
 function install_turn {
+    create_default_web_site
+
+    # append the matrix server to the web site config
+    turn_nginx_site=/etc/nginx/sites-available/$DEFAULT_DOMAIN_NAME
+    if [[ $ONION_ONLY == "no" ]]; then
+        echo '# TURN Server' >> $turn_nginx_site
+        echo 'server {' >> $turn_nginx_site
+        echo "  listen ${TURN_HTTP_PORT} ssl;" >> $turn_nginx_site
+        echo '  listen [::]:${TURN_HTTP_PORT} ssl;' >> $turn_nginx_site
+        echo "  server_name ${DEFAULT_DOMAIN_NAME};" >> $turn_nginx_site
+        echo '' >> $turn_nginx_site
+        echo '  # Security' >> $turn_nginx_site
+        function_check nginx_ssl
+        nginx_ssl ${DEFAULT_DOMAIN_NAME}
+
+        function_check nginx_disable_sniffing
+        nginx_disable_sniffing ${DEFAULT_DOMAIN_NAME}
+
+        echo '  add_header Strict-Transport-Security max-age=15768000;' >> $turn_nginx_site
+        echo '' >> $turn_nginx_site
+        echo '  # Logs' >> $turn_nginx_site
+        echo '  access_log /dev/null;' >> $turn_nginx_site
+        echo '  error_log /dev/null;' >> $turn_nginx_site
+        echo '' >> $turn_nginx_site
+        echo '  # Index' >> $turn_nginx_site
+        echo '  index index.html;' >> $turn_nginx_site
+        echo '' >> $turn_nginx_site
+        echo '  # Location' >> $turn_nginx_site
+        echo '  location / {' >> $turn_nginx_site
+        function_check nginx_limits
+        nginx_limits ${DEFAULT_DOMAIN_NAME} '15m'
+        echo "      proxy_pass http://localhost:${TURN_PORT};" >> $turn_nginx_site
+        echo '      proxy_set_header X-Forwarded-For $remote_addr;' >> $turn_nginx_site
+        echo '  }' >> $turn_nginx_site
+        echo '}' >> $turn_nginx_site
+        echo '' >> $turn_nginx_site
+    else
+        echo '# TURN Server' >> $turn_nginx_site
+    fi
+    echo 'server {' >> $turn_nginx_site
+    echo "    listen 127.0.0.1:$TURN_ONION_PORT default_server;" >> $turn_nginx_site
+    echo "    server_name $DEFAULT_DOMAIN_NAME;" >> $turn_nginx_site
+    echo '' >> $turn_nginx_site
+    function_check nginx_disable_sniffing
+    nginx_disable_sniffing $DEFAULT_DOMAIN_NAME
+    echo '' >> $turn_nginx_site
+    echo '  # Logs' >> $turn_nginx_site
+    echo '  access_log /dev/null;' >> $turn_nginx_site
+    echo '  error_log /dev/null;' >> $turn_nginx_site
+    echo '' >> $turn_nginx_site
+    echo '  # Location' >> $turn_nginx_site
+    echo '  location / {' >> $turn_nginx_site
+    function_check nginx_limits
+    nginx_limits $DEFAULT_DOMAIN_NAME '15m'
+    echo "      proxy_pass http://localhost:${TURN_PORT};" >> $turn_nginx_site
+    echo '      proxy_set_header X-Forwarded-For $remote_addr;' >> $turn_nginx_site
+    echo '  }' >> $turn_nginx_site
+    echo '}' >> $turn_nginx_site
+    echo '# End of TURN Server' >> $turn_nginx_site
+
     export DEBIAN_FRONTEND=noninteractive
     apt-get -yq install coreutils coturn \
             curl file gcc git libevent-2.0-5 \
@@ -108,7 +169,11 @@ function install_turn {
     systemctl daemon-reload
     systemctl start turn
 
-    firewall_add turn ${TURN_PORT}
+    firewall_add turn ${TURN_HTTP_PORT}
+
+    TURN_ONION_HOSTNAME=$(add_onion_service turn ${TURN_PORT} ${TURN_ONION_PORT})
+
+    systemctl restart nginx
 }
 
 # NOTE: deliberately no exit 0
diff --git a/src/freedombone-utils-web b/src/freedombone-utils-web
index e42f9086..9367f8fd 100755
--- a/src/freedombone-utils-web
+++ b/src/freedombone-utils-web
@@ -31,6 +31,9 @@
 # default search engine for command line browser
 DEFAULT_SEARCH='https://searx.laquadrature.net'
 
+# onion port for the default domain
+DEFAULT_DOMAIN_ONION_PORT=8099
+
 # Whether Let's Encrypt is enabled for all sites
 LETSENCRYPT_ENABLED="no"
 LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
@@ -802,4 +805,98 @@ function update_default_domain {
     fi
 }
 
+function create_default_web_site {
+    if [ ! -f /etc/nginx/sites-available/${DEFAULT_DOMAIN_NAME} ]; then
+        # create a web site for the default domain
+        if [ ! -d /var/www/${DEFAULT_DOMAIN_NAME}/htdocs ]; then
+            mkdir -p /var/www/${DEFAULT_DOMAIN_NAME}/htdocs
+            if [ -d /root/${PROJECT_NAME} ]; then
+                cd /root/${PROJECT_NAME}/website
+                ./deploy.sh EN /var/www/${DEFAULT_DOMAIN_NAME}/htdocs
+            else
+                if [ -d /home/${MY_USERNAME}/${PROJECT_NAME} ]; then
+                    cd /home/${MY_USERNAME}/${PROJECT_NAME}
+                    ./deploy.sh EN /var/www/${DEFAULT_DOMAIN_NAME}/htdocs
+                fi
+            fi
+        fi
+
+        # add a config for the default domain
+        nginx_site=/etc/nginx/sites-available/$DEFAULT_DOMAIN_NAME
+        if [[ $ONION_ONLY == "no" ]]; then
+            function_check nginx_http_redirect
+            nginx_http_redirect $DEFAULT_DOMAIN_NAME
+            echo 'server {' >> $nginx_site
+            echo '  listen 443 ssl;' >> $nginx_site
+            echo '  listen [::]:443 ssl;' >> $nginx_site
+            echo "  server_name $DEFAULT_DOMAIN_NAME;" >> $nginx_site
+            echo '' >> $nginx_site
+            echo '  # Security' >> $nginx_site
+            function_check nginx_ssl
+            nginx_ssl $DEFAULT_DOMAIN_NAME
+
+            function_check nginx_disable_sniffing
+            nginx_disable_sniffing $DEFAULT_DOMAIN_NAME
+
+            echo '  add_header Strict-Transport-Security max-age=15768000;' >> $nginx_site
+            echo '' >> $nginx_site
+            echo '  # Logs' >> $nginx_site
+            echo '  access_log /dev/null;' >> $nginx_site
+            echo '  error_log /dev/null;' >> $nginx_site
+            echo '' >> $nginx_site
+            echo '  # Root' >> $nginx_site
+            echo "  root /var/www/$DEFAULT_DOMAIN_NAME/htdocs;" >> $nginx_site
+            echo '' >> $nginx_site
+            echo '  # Index' >> $nginx_site
+            echo '  index index.html;' >> $nginx_site
+            echo '' >> $nginx_site
+            echo '  # Location' >> $nginx_site
+            echo '  location / {' >> $nginx_site
+            function_check nginx_limits
+            nginx_limits $DEFAULT_DOMAIN_NAME '15m'
+            echo '  }' >> $nginx_site
+            echo '' >> $nginx_site
+            echo '  # Restrict access that is unnecessary anyway' >> $nginx_site
+            echo '  location ~ /\.(ht|git) {' >> $nginx_site
+            echo '    deny all;' >> $nginx_site
+            echo '  }' >> $nginx_site
+            echo '}' >> $nginx_site
+        else
+            echo -n '' > $nginx_site
+        fi
+        echo 'server {' >> $nginx_site
+        echo "    listen 127.0.0.1:$DEFAULT_DOMAIN_ONION_PORT default_server;" >> $nginx_site
+        echo "    server_name $DEFAULT_DOMAIN_NAME;" >> $nginx_site
+        echo '' >> $nginx_site
+        function_check nginx_disable_sniffing
+        nginx_disable_sniffing $DEFAULT_DOMAIN_NAME
+        echo '' >> $nginx_site
+        echo '  # Logs' >> $nginx_site
+        echo '  access_log /dev/null;' >> $nginx_site
+        echo '  error_log /dev/null;' >> $nginx_site
+        echo '' >> $nginx_site
+        echo '  # Root' >> $nginx_site
+        echo "  root /var/www/$DEFAULT_DOMAIN_NAME/htdocs;" >> $nginx_site
+        echo '' >> $nginx_site
+        echo '  # Location' >> $nginx_site
+        echo '  location / {' >> $nginx_site
+        function_check nginx_limits
+        nginx_limits $DEFAULT_DOMAIN_NAME '15m'
+        echo '  }' >> $nginx_site
+        echo '' >> $nginx_site
+        echo '  # Restrict access that is unnecessary anyway' >> $nginx_site
+        echo '  location ~ /\.(ht|git) {' >> $nginx_site
+        echo '    deny all;' >> $nginx_site
+        echo '  }' >> $nginx_site
+        echo '}' >> $nginx_site
+
+        if [ ! -f /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem ]; then
+            function_check create_site_certificate
+            create_site_certificate $DEFAULT_DOMAIN_NAME 'yes'
+        fi
+
+        nginx_ensite $DEFAULT_DOMAIN_NAME
+    fi
+}
+
 # NOTE: deliberately no exit 0