#!/bin/bash # # .---. . . # | | | # |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. # | | (.-' (.-' ( | ( )| | | | )( )| | (.-' # ' ' --' --' -' - -' ' ' -' -' -' ' - --' # # Freedom in the Cloud # # This install script is intended for use with Debian Jessie # # Please note that the various hashes and download archives # for systems such as Owncloud and Dokuwiki may need to be updated # # License # ======= # # Copyright (C) 2014 Bob Mottram # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # # Summary # ======= # # This script is intended to be run on the target device, which # is typically a Beaglebone Black. # # To be able to run this script you need to get to a condition # where you have Debian Jessie installed, with at least one # unprivileged user account and at least one subdomain created on # https://freedns.afraid.org/. If you're not installing on a # Beaglebone Black then set the variable INSTALLING_ON_BBB to "no" # # Note on dynamic dns # =================== # # I'm not particularly trying to promote freedns.afraid.org # as a service, it just happens to be a dynamic DNS system which # provides free (as in beer) accounts, and I'm trying to make the # process of setting up a working server as trivial as possible. # Other dynamic DNS systems are available, and if you're using # something different then comment out the section within # argument_checks and the call to dynamic_dns_freedns. # # Prerequisites # ============= # # You will need to initially prepare a microSD card with a Debian # image on it. This can be done using the initial_setup.sh script. # # If you are not using a Beaglebone Black then just prepare the # target system with a fresh installation of Debian Jessie. DOMAIN_NAME=$1 MY_USERNAME=$2 FREEDNS_SUBDOMAIN_CODE=$3 SYSTEM_TYPE=$4 # Are we installing on a Beaglebone Black (BBB) or some other system? INSTALLING_ON_BBB="yes" # Different system variants which may be specified within # the SYSTEM_TYPE option VARIANT_WRITER="writer" VARIANT_CLOUD="cloud" VARIANT_CHAT="chat" VARIANT_MAILBOX="mailbox" VARIANT_NONMAILBOX="nonmailbox" VARIANT_SOCIAL="social" VARIANT_MEDIA="media" SSH_PORT=2222 # kernel specifically tweaked for the Beaglebone Black KERNEL_VERSION="v3.15.10-bone7" # Whether or not to use the beaglebone's hardware random number generator USE_HWRNG="yes" # Whether this system is being installed within a docker container INSTALLED_WITHIN_DOCKER="no" # If you want to run a public mailing list specify its name here. # There should be no spaces in the name PUBLIC_MAILING_LIST= # Optional different domain name for the public mailing list PUBLIC_MAILING_LIST_DOMAIN_NAME= # Directory where the public mailing list data is stored PUBLIC_MAILING_LIST_DIRECTORY="/var/spool/mlmmj" # If you want to run an encrypted mailing list specify its name here. # There should be no spaces in the name PRIVATE_MAILING_LIST= # Domain name or freedns subdomain for mediagoblin installation MEDIAGOBLIN_DOMAIN_NAME= MEDIAGOBLIN_FREEDNS_SUBDOMAIN_CODE= MEDIAGOBLIN_REPO="" MEDIAGOBLIN_ADMIN_PASSWORD= # Domain name or freedns subdomain for microblog installation MICROBLOG_DOMAIN_NAME= MICROBLOG_FREEDNS_SUBDOMAIN_CODE= MICROBLOG_REPO="git://gitorious.org/social/mainline.git" MICROBLOG_ADMIN_PASSWORD= MICROBLOG_INSTALLED="no" # Domain name or redmatrix installation REDMATRIX_DOMAIN_NAME= REDMATRIX_FREEDNS_SUBDOMAIN_CODE= REDMATRIX_REPO="https://github.com/friendica/red.git" REDMATRIX_ADDONS_REPO="https://github.com/friendica/red-addons.git" REDMATRIX_ADMIN_PASSWORD= REDMATRIX_INSTALLED="no" # Domain name or freedns subdomain for Owncloud installation OWNCLOUD_DOMAIN_NAME= # Freedns dynamic dns code for owncloud OWNCLOUD_FREEDNS_SUBDOMAIN_CODE= OWNCLOUD_ARCHIVE="owncloud-7.0.2.tar.bz2" OWNCLOUD_DOWNLOAD="https://download.owncloud.org/community/$OWNCLOUD_ARCHIVE" OWNCLOUD_HASH="ea07124a1b9632aa5227240d655e4d84967fb6dd49e4a16d3207d6179d031a3a" OWNCLOUD_INSTALLED="no" # Domain name or freedns subdomain for your wiki WIKI_FREEDNS_SUBDOMAIN_CODE= WIKI_DOMAIN_NAME= WIKI_ARCHIVE="dokuwiki-stable.tgz" WIKI_DOWNLOAD="http://download.dokuwiki.org/src/dokuwiki/$WIKI_ARCHIVE" WIKI_HASH="a0e79986b87b2744421ce3c33b43a21f296deadd81b1789c25fa4bb095e8e470" WIKI_INSTALLED="no" # see https://www.dokuwiki.org/template:mnml-blog # https://andreashaerter.com/tmp/downloads/dokuwiki-template-mnml-blog/CHECKSUMS.asc WIKI_MNML_BLOG_ADDON_ARCHIVE="mnml-blog.tar.gz" WIKI_MNML_BLOG_ADDON="https://andreashaerter.com/downloads/dokuwiki-template-mnml-blog/latest" WIKI_MNML_BLOG_ADDON_HASH="428c280d09ee14326fef5cd6f6772ecfcd532f7b6779cd992ff79a97381cf39f" # see https://www.dokuwiki.org/plugin:blogtng WIKI_BLOGTNG_ADDON_NAME="dokufreaks-plugin-blogtng-93a3fec" WIKI_BLOGTNG_ADDON_ARCHIVE="$WIKI_BLOGTNG_ADDON_NAME.zip" WIKI_BLOGTNG_ADDON="https://github.com/dokufreaks/plugin-blogtng/zipball/master" WIKI_BLOGTNG_ADDON_HASH="212b3ad918fdc92b2d49ef5d36bc9e086eab27532931ba6b87e05f35fd402a27" # see https://www.dokuwiki.org/plugin:sqlite WIKI_SQLITE_ADDON_NAME="cosmocode-sqlite-7be4003" WIKI_SQLITE_ADDON_ARCHIVE="$WIKI_SQLITE_ADDON_NAME.tar.gz" WIKI_SQLITE_ADDON="https://github.com/cosmocode/sqlite/tarball/master" WIKI_SQLITE_ADDON_HASH="930335e647c7e62f3068689c256ee169fad2426b64f8360685d391ecb5eeda0c" GPG_KEYSERVER="hkp://keys.gnupg.net" # whether to encrypt all incoming email with your public key GPG_ENCRYPT_STORED_EMAIL="yes" # gets set to yes if gpg keys are imported from usb GPG_KEYS_IMPORTED="no" # optionally you can provide your exported GPG key pair here # Note that the private key file will be deleted after use # If these are unspecified then a new GPG key will be created MY_GPG_PUBLIC_KEY= MY_GPG_PRIVATE_KEY= # optionally specify your public key ID MY_GPG_PUBLIC_KEY_ID= # If you have existing mail within a Maildir # you can specify the directory here and the files # will be imported IMPORT_MAILDIR= # The Debian package repository to use. DEBIAN_REPO="ftp.us.debian.org" DEBIAN_VERSION="jessie" # Directory where source code is downloaded and compiled INSTALL_DIR=$HOME/build # device name for an attached usb drive USB_DRIVE=/dev/sda1 # Location where the USB drive is mounted to USB_MOUNT=/mnt/usb # Name of a script used to create a backup of the system on usb drive BACKUP_SCRIPT_NAME="backup" # Name of a script used to restore the system from usb drive RESTORE_SCRIPT_NAME="restore" # memory limit for php in MB MAX_PHP_MEMORY=32 # default MariaDB password MARIADB_PASSWORD= # Directory where XMPP settings are stored XMPP_DIRECTORY="/var/lib/prosody" # file containing a list of remote locations to backup to FRIENDS_SERVERS_LIST=/home/$MY_USERNAME/backup.list #list of encryption protocols SSL_PROTOCOLS="TLSv1 TLSv1.1 TLSv1.2" # list of ciphers to use. See bettercrypto.org recommendations SSL_CIPHERS="EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA" export DEBIAN_FRONTEND=noninteractive # File which keeps track of what has already been installed COMPLETION_FILE=$HOME/freedombone-completed.txt if [ ! -f $COMPLETION_FILE ]; then touch $COMPLETION_FILE fi # message if something fails to install CHECK_MESSAGE="Check your internet connection, /etc/network/interfaces and /etc/resolv.conf, then delete $COMPLETION_FILE, run 'rm -fR /var/lib/apt/lists/* && apt-get update --fix-missing' and run this script again. If hash sum mismatches persist then try setting $DEBIAN_REPO to a different mirror and also change /etc/apt/sources.list." function show_help { echo '' echo './install-freedombone.sh [domain] [username] [subdomain code] [system type]' echo '' echo 'domain' echo '------' echo 'This is your domain name or freedns subdomain.' echo '' echo 'username' echo '--------' echo '' echo 'This will be your username on the system. It should be all' echo 'lower case and contain no spaces' echo '' echo 'subdomain code' echo '--------------' echo 'This is the freedns dynamic DNS code for your subdomain.' echo "To find it from https://freedns.afraid.org select 'Dynamic DNS'," echo "then 'quick cron example' and copy the code located between " echo "'?' and '=='." echo '' echo 'system type' echo '-----------' echo 'This can either be blank if you wish to install the full system,' echo "or for more specialised variants you can specify '$VARIANT_MAILBOX', '$VARIANT_CLOUD'," echo "'$VARIANT_CHAT', '$VARIANT_SOCIAL', '$VARIANT_MEDIA' or '$VARIANT_WRITER'." echo "If you wish to install everything except email then use the '$VARIANT_NONMAILBOX' variaint." } function argument_checks { if [ ! -d /home/$MY_USERNAME ]; then echo "There is no user '$MY_USERNAME' on the system. Use 'adduser $MY_USERNAME' to create the user." exit 1 fi if [ ! $DOMAIN_NAME ]; then show_help exit 2 fi if [ ! $MY_USERNAME ]; then show_help exit 3 fi if [ ! $FREEDNS_SUBDOMAIN_CODE ]; then show_help exit 4 fi if [ $SYSTEM_TYPE ]; then if [[ $SYSTEM_TYPE != $VARIANT_WRITER && $SYSTEM_TYPE != $VARIANT_CLOUD && $SYSTEM_TYPE != $VARIANT_CHAT && $SYSTEM_TYPE != $VARIANT_MAILBOX && $SYSTEM_TYPE != $VARIANT_NONMAILBOX && $SYSTEM_TYPE != $VARIANT_SOCIAL && $SYSTEM_TYPE != $VARIANT_MEDIA ]]; then echo "'$SYSTEM_TYPE' is an unrecognised Freedombone variant." exit 30 fi fi } function check_hwrng { # If hardware random number generation was enabled then make sure that the device exists. # if /dev/hwrng is not found then any subsequent cryptographic key generation would # suffer from low entropy and might be insecure if [ ! -f /etc/default/rng-tools ]; then return fi if [ ! -e /dev/hwrng ]; then ls /dev/hw* echo 'The hardware random number generator is enabled but could not be detected on' echo '/dev/hwrng. There may be a problem with the installation or the Beaglebone hardware.' exit 75 fi } function create_backup_script { if grep -Fxq "create_backup_script" $COMPLETION_FILE; then return fi apt-get -y --force-yes install duplicity gnupg echo '#!/bin/bash' > /usr/bin/$BACKUP_SCRIPT_NAME echo '' >> /usr/bin/$BACKUP_SCRIPT_NAME echo "if [ ! -b $USB_DRIVE ]; then" >> /usr/bin/$BACKUP_SCRIPT_NAME echo ' echo "Please attach a USB drive"' >> /usr/bin/$BACKUP_SCRIPT_NAME echo ' exit 1' >> /usr/bin/$BACKUP_SCRIPT_NAME echo 'fi' >> /usr/bin/$BACKUP_SCRIPT_NAME echo '' >> /usr/bin/$BACKUP_SCRIPT_NAME echo "if [ ! -d $USB_MOUNT ]; then" >> /usr/bin/$BACKUP_SCRIPT_NAME echo " mkdir $USB_MOUNT" >> /usr/bin/$BACKUP_SCRIPT_NAME echo " mount $USB_DRIVE $USB_MOUNT" >> /usr/bin/$BACKUP_SCRIPT_NAME echo 'fi' >> /usr/bin/$BACKUP_SCRIPT_NAME echo "if [ ! -d $USB_MOUNT/backup ]; then" >> /usr/bin/$BACKUP_SCRIPT_NAME echo " mkdir $USB_MOUNT/backup" >> /usr/bin/$BACKUP_SCRIPT_NAME echo 'fi' >> /usr/bin/$BACKUP_SCRIPT_NAME echo '' >> /usr/bin/$BACKUP_SCRIPT_NAME echo '# Put some files into a temporary directory so that they can be easily backed up' >> /usr/bin/$BACKUP_SCRIPT_NAME echo "if [ ! -d /home/$MY_USERNAME/tempfiles ]; then" >> /usr/bin/$BACKUP_SCRIPT_NAME echo " mkdir /home/$MY_USERNAME/tempfiles" >> /usr/bin/$BACKUP_SCRIPT_NAME echo 'fi' >> /usr/bin/$BACKUP_SCRIPT_NAME if [[ $MICROBLOG_INSTALLED == "yes" ]]; then echo 'echo "Obtaining GNU Social database backup"' >> /usr/bin/$BACKUP_SCRIPT_NAME echo "mysqldump --password=$MARIADB_PASSWORD gnusocial > /home/$MY_USERNAME/tempfiles/gnusocial.sql" >> /usr/bin/$BACKUP_SCRIPT_NAME fi if [[ $REDMATRIX_INSTALLED == "yes" ]]; then echo 'echo "Obtaining Red Matrix database backup"' >> /usr/bin/$BACKUP_SCRIPT_NAME echo "mysqldump --password=$MARIADB_PASSWORD redmatrix > /home/$MY_USERNAME/tempfiles/redmatrix.sql" >> /usr/bin/$BACKUP_SCRIPT_NAME fi if [[ $OWNCLOUD_INSTALLED == "yes" ]]; then echo 'echo "Obtaining Owncloud data backup"' >> /usr/bin/$BACKUP_SCRIPT_NAME echo "tar -czvf /home/$MY_USERNAME/tempfiles/owncloud.tar.gz /var/www/$OWNCLOUD_DOMAIN_NAME/htdocs/config /var/www/$OWNCLOUD_DOMAIN_NAME/htdocs/data" >> /usr/bin/$BACKUP_SCRIPT_NAME fi if [[ $WIKI_INSTALLED == "yes" ]]; then echo 'echo "Obtaining wiki data backup"' >> /usr/bin/$BACKUP_SCRIPT_NAME echo "tar -czvf /home/$MY_USERNAME/tempfiles/wiki.tar.gz /var/www/$WIKI_DOMAIN_NAME/htdocs" >> /usr/bin/$BACKUP_SCRIPT_NAME fi echo 'echo "Archiving miscellaneous files"' >> /usr/bin/$BACKUP_SCRIPT_NAME echo 'tar -czvf /home/$MY_USERNAME/tempfiles/miscfiles.tar.gz /home/$MY_USERNAME/.gnupg /home/$MY_USERNAME/.muttrc /home/$MY_USERNAME/.procmailrc /home/$MY_USERNAME/.ssh /home/$MY_USERNAME/personal' >> /usr/bin/$BACKUP_SCRIPT_NAME echo '' >> /usr/bin/$BACKUP_SCRIPT_NAME echo '# Backup the public mailing list' >> /usr/bin/$BACKUP_SCRIPT_NAME echo "if [ -d $PUBLIC_MAILING_LIST_DIRECTORY ]; then" >> /usr/bin/$BACKUP_SCRIPT_NAME echo ' echo "Backing up the public mailing list"' >> /usr/bin/$BACKUP_SCRIPT_NAME echo " duplicity incr --encrypt-key $GPG_KEY --full-if-older-than 4W --exclude-other-filesystems $PUBLIC_MAILING_LIST_DIRECTORY file://$USB_MOUNT/backup/publicmailinglist" >> /usr/bin/$BACKUP_SCRIPT_NAME echo 'fi' >> /usr/bin/$BACKUP_SCRIPT_NAME echo '' >> /usr/bin/$BACKUP_SCRIPT_NAME echo '# Backup xmpp settings' >> /usr/bin/$BACKUP_SCRIPT_NAME echo "if [ -d $XMPP_DIRECTORY ]; then" >> /usr/bin/$BACKUP_SCRIPT_NAME echo ' echo "Backing up the XMPP settings"' >> /usr/bin/$BACKUP_SCRIPT_NAME echo " duplicity incr --encrypt-key $GPG_KEY --full-if-older-than 4W --exclude-other-filesystems $XMPP_DIRECTORY file://$USB_MOUNT/backup/xmpp" >> /usr/bin/$BACKUP_SCRIPT_NAME echo 'fi' >> /usr/bin/$BACKUP_SCRIPT_NAME echo '' >> /usr/bin/$BACKUP_SCRIPT_NAME echo '# Backup web content and other stuff' >> /usr/bin/$BACKUP_SCRIPT_NAME echo "if [ -d /home/$MY_USERNAME/tempfiles ]; then" >> /usr/bin/$BACKUP_SCRIPT_NAME echo ' echo "Backing up web content and miscellaneous files"' >> /usr/bin/$BACKUP_SCRIPT_NAME echo " duplicity incr --encrypt-key $GPG_KEY --full-if-older-than 4W --exclude-other-filesystems /home/$MY_USERNAME/tempfiles file://$USB_MOUNT/backup/tempfiles" >> /usr/bin/$BACKUP_SCRIPT_NAME echo 'fi' >> /usr/bin/$BACKUP_SCRIPT_NAME echo '' >> /usr/bin/$BACKUP_SCRIPT_NAME echo '# Backup email' >> /usr/bin/$BACKUP_SCRIPT_NAME echo "if [ -d /home/$MY_USERNAME/Maildir ]; then" >> /usr/bin/$BACKUP_SCRIPT_NAME echo ' echo "Backing up emails"' >> /usr/bin/$BACKUP_SCRIPT_NAME echo " duplicity incr --encrypt-key $GPG_KEY --full-if-older-than 4W --exclude-other-filesystems /home/$MY_USERNAME/Maildir file://$USB_MOUNT/backup/Maildir" >> /usr/bin/$BACKUP_SCRIPT_NAME echo 'fi' >> /usr/bin/$BACKUP_SCRIPT_NAME echo '' >> /usr/bin/$BACKUP_SCRIPT_NAME echo '# Backup DLNA cache' >> /usr/bin/$BACKUP_SCRIPT_NAME echo "if [ -d /var/cache/minidlna ]; then" >> /usr/bin/$BACKUP_SCRIPT_NAME echo ' echo "Backing up DLNA cache"' >> /usr/bin/$BACKUP_SCRIPT_NAME echo " duplicity incr --encrypt-key $GPG_KEY --full-if-older-than 4W --exclude-other-filesystems /var/cache/minidlna file://$USB_MOUNT/backup/dlna" >> /usr/bin/$BACKUP_SCRIPT_NAME echo 'fi' >> /usr/bin/$BACKUP_SCRIPT_NAME echo 'echo "Cleaning up backup files"' >> /usr/bin/$BACKUP_SCRIPT_NAME echo 'duplicity --force cleanup file://$USB_MOUNT/backup' >> /usr/bin/$BACKUP_SCRIPT_NAME echo 'echo "Removing old backups"' >> /usr/bin/$BACKUP_SCRIPT_NAME echo 'duplicity --force remove-all-but-n-full 2 file://$USB_MOUNT/backup' >> /usr/bin/$BACKUP_SCRIPT_NAME echo '' >> /usr/bin/$BACKUP_SCRIPT_NAME echo '# Remove temporary files' >> /usr/bin/$BACKUP_SCRIPT_NAME echo "if [ -d /home/$MY_USERNAME/tempfiles ]; then" >> /usr/bin/$BACKUP_SCRIPT_NAME echo ' echo "Removing temporary files"' >> /usr/bin/$BACKUP_SCRIPT_NAME echo " rm -rf /home/$MY_USERNAME/tempfiles" >> /usr/bin/$BACKUP_SCRIPT_NAME echo 'fi' >> /usr/bin/$BACKUP_SCRIPT_NAME echo 'echo "Backup is complete"' >> /usr/bin/$BACKUP_SCRIPT_NAME echo 'exit 0' >> /usr/bin/$BACKUP_SCRIPT_NAME echo 'create_backup_script' >> $COMPLETION_FILE } function create_restore_script { if grep -Fxq "create_restore_script" $COMPLETION_FILE; then return fi apt-get -y --force-yes install duplicity echo 'create_restore_script' >> $COMPLETION_FILE } function backup_to_friends_servers { if grep -Fxq "backup_to_friends_servers" $COMPLETION_FILE; then return fi if [ ! $FRIENDS_SERVERS_LIST ]; then return fi apt-get -y --force-yes install duplicity # script to do backups echo '#!/bin/bash' > /usr/bin/backup2friends echo 'GPG_KEY=$1' >> /usr/bin/backup2friends echo '' >> /usr/bin/backup2friends echo "if [ ! -f $FRIENDS_SERVERS_LIST ]; then" >> /usr/bin/backup2friends echo ' exit 1' >> /usr/bin/backup2friends echo 'fi' >> /usr/bin/backup2friends echo '' >> /usr/bin/backup2friends echo 'if [ ! $GPG_KEY ]; then' >> /usr/bin/backup2friends echo " echo 'Unable to perform automated backup. You need to add a GPG key to /etc/cron.daily/backuptofriends' | mail -s 'Backup failure' $MY_USERNAME@$DOMAIN_NAME" >> /usr/bin/backup2friends echo ' exit 2' >> /usr/bin/backup2friends echo 'fi' >> /usr/bin/backup2friends echo '' >> /usr/bin/backup2friends echo '# Put some files into a temporary directory so that they can be easily backed up' >> /usr/bin/backup2friends echo "if [ ! -d /home/$MY_USERNAME/tempfiles ]; then" >> /usr/bin/backup2friends echo " mkdir /home/$MY_USERNAME/tempfiles" >> /usr/bin/backup2friends echo 'fi' >> /usr/bin/backup2friends if [[ $MICROBLOG_INSTALLED == "yes" ]]; then echo "mysqldump --password=$MARIADB_PASSWORD gnusocial > /home/$MY_USERNAME/tempfiles/gnusocial.sql" >> /usr/bin/backup2friends fi if [[ $REDMATRIX_INSTALLED == "yes" ]]; then echo "mysqldump --password=$MARIADB_PASSWORD redmatrix > /home/$MY_USERNAME/tempfiles/redmatrix.sql" >> /usr/bin/backup2friends fi if [[ $OWNCLOUD_INSTALLED == "yes" ]]; then echo "tar -czvf /home/$MY_USERNAME/tempfiles/owncloud.tar.gz /var/www/$OWNCLOUD_DOMAIN_NAME/htdocs/config /var/www/$OWNCLOUD_DOMAIN_NAME/htdocs/data" >> /usr/bin/backup2friends fi if [[ $WIKI_INSTALLED == "yes" ]]; then echo "tar -czvf /home/$MY_USERNAME/tempfiles/wiki.tar.gz /var/www/$WIKI_DOMAIN_NAME/htdocs" >> /usr/bin/backup2friends fi echo 'tar -czvf /home/$MY_USERNAME/tempfiles/miscfiles.tar.gz /home/$MY_USERNAME/.gnupg /home/$MY_USERNAME/.muttrc /home/$MY_USERNAME/.procmailrc /home/$MY_USERNAME/.ssh /home/$MY_USERNAME/personal' >> /usr/bin/backup2friends echo '' >> /usr/bin/backup2friends echo 'while read remote_server' >> /usr/bin/backup2friends echo 'do' >> /usr/bin/backup2friends echo ' # Get the server and its password' >> /usr/bin/backup2friends echo ' SERVER="${* %%remote_server}"' >> /usr/bin/backup2friends echo ' FTP_PASSWORD="${remote_server%% *}"' >> /usr/bin/backup2friends echo '' >> /usr/bin/backup2friends echo ' # Backup the public mailing list' >> /usr/bin/backup2friends echo " if [ -d $PUBLIC_MAILING_LIST_DIRECTORY ]; then" >> /usr/bin/backup2friends echo " duplicity incr --ssh-askpass --encrypt-key $GPG_KEY --full-if-older-than 4W --exclude-other-filesystems $PUBLIC_MAILING_LIST_DIRECTORY $SERVER/publicmailinglist" >> /usr/bin/backup2friends echo ' fi' >> /usr/bin/backup2friends echo '' >> /usr/bin/backup2friends echo ' # Backup xmpp settings' >> /usr/bin/backup2friends echo " if [ -d $XMPP_DIRECTORY ]; then" >> /usr/bin/backup2friends echo " duplicity incr --ssh-askpass --encrypt-key $GPG_KEY --full-if-older-than 4W --exclude-other-filesystems $XMPP_DIRECTORY $SERVER/xmpp" >> /usr/bin/backup2friends echo ' fi' >> /usr/bin/backup2friends echo '' >> /usr/bin/backup2friends echo ' # Backup web content and other stuff' >> /usr/bin/backup2friends echo " if [ -d /home/$MY_USERNAME/tempfiles ]; then" >> /usr/bin/backup2friends echo " duplicity incr --ssh-askpass --encrypt-key $GPG_KEY --full-if-older-than 4W --exclude-other-filesystems /home/$MY_USERNAME/tempfiles $SERVER/tempfiles" >> /usr/bin/backup2friends echo ' fi' >> /usr/bin/backup2friends echo '' >> /usr/bin/backup2friends echo ' # Backup email' >> /usr/bin/backup2friends echo " if [ -d /home/$MY_USERNAME/Maildir ]; then" >> /usr/bin/backup2friends echo " duplicity incr --ssh-askpass --encrypt-key $GPG_KEY --full-if-older-than 4W --exclude-other-filesystems /home/$MY_USERNAME/Maildir $SERVER/Maildir" >> /usr/bin/backup2friends echo ' fi' >> /usr/bin/backup2friends echo '' >> /usr/bin/backup2friends echo ' # Backup DLNA cache' >> /usr/bin/backup2friends echo " if [ -d /var/cache/minidlna ]; then" >> /usr/bin/backup2friends echo " duplicity incr --ssh-askpass --encrypt-key $GPG_KEY --full-if-older-than 4W --exclude-other-filesystems /var/cache/minidlna $SERVER/dlna" >> /usr/bin/backup2friends echo ' fi' >> /usr/bin/backup2friends echo '' >> /usr/bin/backup2friends echo ' duplicity --ssh-askpass --force cleanup $SERVER' >> /usr/bin/backup2friends echo ' duplicity --ssh-askpass --force remove-all-but-n-full 2 $SERVER' >> /usr/bin/backup2friends echo "done < $FRIENDS_SERVERS_LIST" >> /usr/bin/backup2friends echo '' >> /usr/bin/backup2friends echo '# Remove temporary files' >> /usr/bin/backup2friends echo "if [ -d /home/$MY_USERNAME/tempfiles ]; then" >> /usr/bin/backup2friends echo " rm -rf /home/$MY_USERNAME/tempfiles" >> /usr/bin/backup2friends echo 'fi' >> /usr/bin/backup2friends echo 'exit 0' >> /usr/bin/backup2friends chmod +x /usr/bin/backup2friends # update crontab echo '#!/bin/bash' > /etc/cron.daily/backuptofriends if [ $MY_GPG_PUBLIC_KEY_ID ]; then echo "GPG_KEY=$MY_GPG_PUBLIC_KEY_ID" >> /etc/cron.daily/backuptofriends else echo 'GPG_KEY=' >> /etc/cron.daily/backuptofriends fi echo '/usr/bin/backup2friends $GPG_KEY' >> /etc/cron.daily/backuptofriends chmod +x /etc/cron.daily/backuptofriends echo 'backup_to_friends_servers' >> $COMPLETION_FILE } function remove_default_user { # make sure you don't use the default user account if [[ $MY_USERNAME == "debian" ]]; then echo 'Do not use the default debian user account. Create a different user with: adduser [username]' exit 68 fi # remove the default debian user to prevent it from becoming an attack vector if [ -d /home/debian ]; then userdel -r debian echo 'Default debian user account removed' fi } function enforce_good_passwords { # because humans are generally bad at choosing passwords if grep -Fxq "enforce_good_passwords" $COMPLETION_FILE; then return fi apt-get -y --force-yes install libpam-cracklib sed -i 's/password.*requisite.*pam_cracklib.so.*/password required pam_cracklib.so retry=2 dcredit=-4 ucredit=-1 ocredit=-1 lcredit=0 minlen=10 reject_username/g' /etc/pam.d/common-password echo 'enforce_good_passwords' >> $COMPLETION_FILE } function change_login_message { if grep -Fxq "change_login_message" $COMPLETION_FILE; then return fi echo '' > /etc/motd echo ".---. . . " >> /etc/motd echo "| | | " >> /etc/motd echo "|--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. " >> /etc/motd echo "| | (.-' (.-' ( | ( )| | | | )( )| | (.-' " >> /etc/motd echo "' ' --' --' -' - -' ' ' -' -' -' ' - --'" >> /etc/motd if [[ $SYSTEM_TYPE == "$VARIANT_MEDIA" ]]; then echo ' . . . ' >> /etc/motd echo ' |\ /| | o ' >> /etc/motd echo " | \/ | .-. .-.| . .-. " >> /etc/motd echo " | |(.-'( | | ( ) " >> /etc/motd echo " ' ' --' -' --' - -' - " >> /etc/motd fi if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" ]]; then echo ' . . . . . ' >> /etc/motd echo ' \ \ / / o _|_ ' >> /etc/motd echo ' \ \ /.--.. | .-. .--.' >> /etc/motd echo " \/ \/ | | | (.-' | " >> /etc/motd echo " ' ' ' -' - -' --'' " >> /etc/motd fi if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" ]]; then echo ' .--.. . ' >> /etc/motd echo ' : | | ' >> /etc/motd echo ' | | .-. . . .-.| ' >> /etc/motd echo ' : |( )| |( | ' >> /etc/motd echo " --' - -' -- - -' -" >> /etc/motd fi if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" ]]; then echo ' .--.. . ' >> /etc/motd echo ' : | _|_ ' >> /etc/motd echo ' | |--. .-. | ' >> /etc/motd echo ' : | |( ) | ' >> /etc/motd echo " --'' - -' - -' " >> /etc/motd fi if [[ $SYSTEM_TYPE == "$VARIANT_SOCIAL" ]]; then echo ' .-. . ' >> /etc/motd echo ' ( ) o | ' >> /etc/motd echo ' -. .-. .-. . .-. | ' >> /etc/motd echo ' ( )( )( | ( ) | ' >> /etc/motd echo " -' -' -'-' - -' - - " >> /etc/motd fi if [[ $SYSTEM_TYPE == "$VARIANT_MAILBOX" ]]; then echo ' . . . . ' >> /etc/motd echo ' |\ /| o | | ' >> /etc/motd echo ' | \/ | .-. . | |.-. .-.-. ,- ' >> /etc/motd echo ' | |( ) | | | )( ) : ' >> /etc/motd echo " ' ' -' --' - -' -' -'-' - " >> /etc/motd fi echo '' >> /etc/motd echo ' Freedom in the Cloud' >> /etc/motd echo '' >> /etc/motd echo 'change_login_message' >> $COMPLETION_FILE } function search_for_attached_usb_drive { # If a USB drive is attached then search for email, # gpg, ssh keys and emacs configuration if grep -Fxq "search_for_attached_usb_drive" $COMPLETION_FILE; then return fi if [ -b $USB_DRIVE ]; then if [ ! -d $USB_MOUNT ]; then echo 'Mounting USB drive' mkdir $USB_MOUNT mount $USB_DRIVE $USB_MOUNT fi if ! [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" ]]; then if [ -d $USB_MOUNT/Maildir ]; then echo 'Maildir found on USB drive' IMPORT_MAILDIR=$USB_MOUNT/Maildir fi if [ -d $USB_MOUNT/.gnupg ]; then echo 'Importing GPG keyring' cp -r $USB_MOUNT/.gnupg /home/$MY_USERNAME chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.gnupg GPG_KEYS_IMPORTED="yes" if [ -f /home/$MY_USERNAME/.gnupg/secring.gpg ]; then shred -zu $USB_MOUNT/.gnupg/secring.gpg shred -zu $USB_MOUNT/.gnupg/random_seed shred -zu $USB_MOUNT/.gnupg/trustdb.gpg rm -rf $USB_MOUNT/.gnupg else echo 'GPG files did not copy' exit 7 fi fi if [ -f $USB_MOUNT/.procmailrc ]; then echo 'Importing procmail settings' cp $USB_MOUNT/.procmailrc /home/$MY_USERNAME chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.procmailrc fi if [ -f $USB_MOUNT/private_key.gpg ]; then echo 'GPG private key found on USB drive' MY_GPG_PRIVATE_KEY=$USB_MOUNT/private_key.gpg fi if [ -f $USB_MOUNT/public_key.gpg ]; then echo 'GPG public key found on USB drive' MY_GPG_PUBLIC_KEY=$USB_MOUNT/public_key.gpg fi fi if [ -d $USB_MOUNT/prosody ]; then if [ ! -d $XMPP_DIRECTORY ]; then mkdir $XMPP_DIRECTORY fi cp -r $USB_MOUNT/prosody/* $XMPP_DIRECTORY chown -R prosody:prosody $XMPP_DIRECTORY fi if [ -d $USB_MOUNT/.ssh ]; then echo 'Importing ssh keys' cp -r $USB_MOUNT/.ssh /home/$MY_USERNAME chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.ssh # for security delete the ssh keys from the usb drive if [ -f /home/$MY_USERNAME/.ssh/id_rsa ]; then shred -zu $USB_MOUNT/.ssh/id_rsa shred -zu $USB_MOUNT/.ssh/id_rsa.pub shred -zu $USB_MOUNT/.ssh/known_hosts rm -rf $USB_MOUNT/.ssh else echo 'ssh files did not copy' exit 8 fi fi if [ -f $USB_MOUNT/.emacs ]; then echo 'Importing .emacs file' cp -f $USB_MOUNT/.emacs /home/$MY_USERNAME/.emacs chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.emacs fi if [ -d $USB_MOUNT/.emacs.d ]; then echo 'Importing .emacs.d directory' cp -r $USB_MOUNT/.emacs.d /home/$MY_USERNAME chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.emacs.d fi if [ -d $USB_MOUNT/ssl ]; then echo 'Importing SSL certificates' cp -r $USB_MOUNT/ssl/* /etc/ssl chmod 640 /etc/ssl/certs/* chmod 400 /etc/ssl/private/* # change ownership of some certificates if [ -d /etc/prosody ]; then chown prosody:prosody /etc/ssl/private/xmpp.* chown prosody:prosody /etc/ssl/certs/xmpp.* fi if [ -d /etc/dovecot ]; then chown root:dovecot /etc/ssl/certs/dovecot.* chown root:dovecot /etc/ssl/private/dovecot.* fi if [ -f /etc/ssl/private/exim.key ]; then chown root:Debian-exim /etc/ssl/private/exim.key /etc/ssl/certs/exim.crt /etc/ssl/certs/exim.dhparam fi fi if [ -d $USB_MOUNT/personal ]; then echo 'Importing personal directory' cp -r $USB_MOUNT/personal /home/$MY_USERNAME chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/personal fi else if [ -d $USB_MOUNT ]; then umount $USB_MOUNT rm -rf $USB_MOUNT fi echo 'No USB drive attached' fi echo 'search_for_attached_usb_drive' >> $COMPLETION_FILE } function remove_proprietary_repos { if grep -Fxq "remove_proprietary_repos" $COMPLETION_FILE; then return fi sed -i 's/ non-free//g' /etc/apt/sources.list echo 'remove_proprietary_repos' >> $COMPLETION_FILE } function change_debian_repos { if grep -Fxq "change_debian_repos" $COMPLETION_FILE; then return fi rm -rf /var/lib/apt/lists/* apt-get clean sed -i "s/ftp.us.debian.org/$DEBIAN_REPO/g" /etc/apt/sources.list # ensure that there is a security repo if ! grep -q "security" /etc/apt/sources.list; then if grep -q "jessie" /etc/apt/sources.list; then echo "deb http://security.debian.org/ jessie/updates main contrib" >> /etc/apt/sources.list echo "#deb-src http://security.debian.org/ jessie/updates main contrib" >> /etc/apt/sources.list else if grep -q "wheezy" /etc/apt/sources.list; then echo "deb http://security.debian.org/ wheezy/updates main contrib" >> /etc/apt/sources.list echo "#deb-src http://security.debian.org/ wheezy/updates main contrib" >> /etc/apt/sources.list fi fi fi apt-get update apt-get -y --force-yes install apt-transport-https echo 'change_debian_repos' >> $COMPLETION_FILE } function initial_setup { if grep -Fxq "initial_setup" $COMPLETION_FILE; then return fi apt-get -y remove --purge apache* apt-get -y dist-upgrade apt-get -y install ca-certificates emacs24 echo 'initial_setup' >> $COMPLETION_FILE } function install_editor { if grep -Fxq "install_editor" $COMPLETION_FILE; then return fi update-alternatives --set editor /usr/bin/emacs24 echo 'install_editor' >> $COMPLETION_FILE } function enable_backports { if grep -Fxq "enable_backports" $COMPLETION_FILE; then return fi if ! grep -Fxq "deb http://$DEBIAN_REPO/debian jessie-backports main" /etc/apt/sources.list; then echo "deb http://$DEBIAN_REPO/debian jessie-backports main" >> /etc/apt/sources.list fi echo 'enable_backports' >> $COMPLETION_FILE } function update_the_kernel { if grep -Fxq "update_the_kernel" $COMPLETION_FILE; then return fi # if this is not a beaglebone or is a docker container # then just use the standard kernel if [[ $INSTALLED_WITHIN_DOCKER == "yes" || $INSTALLING_ON_BBB != "yes" ]]; then return fi cd /opt/scripts/tools ./update_kernel.sh --kernel $KERNEL_VERSION echo 'update_the_kernel' >> $COMPLETION_FILE } function enable_zram { if grep -Fxq "enable_zram" $COMPLETION_FILE; then return fi if [[ $INSTALLED_WITHIN_DOCKER == "yes" || $INSTALLING_ON_BBB != "yes" ]]; then return fi if ! grep -q "options zram num_devices=1" /etc/modprobe.d/zram.conf; then echo 'options zram num_devices=1' >> /etc/modprobe.d/zram.conf fi echo '#!/bin/bash' > /etc/init.d/zram echo '### BEGIN INIT INFO' >> /etc/init.d/zram echo '# Provides: zram' >> /etc/init.d/zram echo '# Required-Start:' >> /etc/init.d/zram echo '# Required-Stop:' >> /etc/init.d/zram echo '# Default-Start: 2 3 4 5' >> /etc/init.d/zram echo '# Default-Stop: 0 1 6' >> /etc/init.d/zram echo '# Short-Description: Increased Performance In Linux With zRam (Virtual Swap Compressed in RAM)' >> /etc/init.d/zram echo '# Description: Adapted from systemd scripts at https://github.com/mystilleef/FedoraZram' >> /etc/init.d/zram echo '### END INIT INFO' >> /etc/init.d/zram echo 'start() {' >> /etc/init.d/zram echo ' # get the number of CPUs' >> /etc/init.d/zram echo ' num_cpus=$(grep -c processor /proc/cpuinfo)' >> /etc/init.d/zram echo ' # if something goes wrong, assume we have 1' >> /etc/init.d/zram echo ' [ "$num_cpus" != 0 ] || num_cpus=1' >> /etc/init.d/zram echo ' # set decremented number of CPUs' >> /etc/init.d/zram echo ' decr_num_cpus=$((num_cpus - 1))' >> /etc/init.d/zram echo ' # get the amount of memory in the machine' >> /etc/init.d/zram echo ' mem_total_kb=$(grep MemTotal /proc/meminfo | grep -E --only-matching "[[:digit:]]+")' >> /etc/init.d/zram echo ' mem_total=$((mem_total_kb * 1024))' >> /etc/init.d/zram echo ' # load dependency modules' >> /etc/init.d/zram echo ' modprobe zram num_devices=$num_cpus' >> /etc/init.d/zram echo ' # initialize the devices' >> /etc/init.d/zram echo ' for i in $(seq 0 $decr_num_cpus); do' >> /etc/init.d/zram echo ' echo $((mem_total / num_cpus)) > /sys/block/zram$i/disksize' >> /etc/init.d/zram echo ' done' >> /etc/init.d/zram echo ' # Creating swap filesystems' >> /etc/init.d/zram echo ' for i in $(seq 0 $decr_num_cpus); do' >> /etc/init.d/zram echo ' mkswap /dev/zram$i' >> /etc/init.d/zram echo ' done' >> /etc/init.d/zram echo ' # Switch the swaps on' >> /etc/init.d/zram echo ' for i in $(seq 0 $decr_num_cpus); do' >> /etc/init.d/zram echo ' swapon -p 100 /dev/zram$i' >> /etc/init.d/zram echo ' done' >> /etc/init.d/zram echo '}' >> /etc/init.d/zram echo 'stop() {' >> /etc/init.d/zram echo ' # get the number of CPUs' >> /etc/init.d/zram echo ' num_cpus=$(grep -c processor /proc/cpuinfo)' >> /etc/init.d/zram echo ' # set decremented number of CPUs' >> /etc/init.d/zram echo ' decr_num_cpus=$((num_cpus - 1))' >> /etc/init.d/zram echo ' # Switching off swap' >> /etc/init.d/zram echo ' for i in $(seq 0 $decr_num_cpus); do' >> /etc/init.d/zram echo ' if [ "$(grep /dev/zram$i /proc/swaps)" != "" ]; then' >> /etc/init.d/zram echo ' swapoff /dev/zram$i' >> /etc/init.d/zram echo ' sleep 1' >> /etc/init.d/zram echo ' fi' >> /etc/init.d/zram echo ' done' >> /etc/init.d/zram echo ' sleep 1' >> /etc/init.d/zram echo ' rmmod zram' >> /etc/init.d/zram echo '}' >> /etc/init.d/zram echo 'case "$1" in' >> /etc/init.d/zram echo ' start)' >> /etc/init.d/zram echo ' start' >> /etc/init.d/zram echo ' ;;' >> /etc/init.d/zram echo ' stop)' >> /etc/init.d/zram echo ' stop' >> /etc/init.d/zram echo ' ;;' >> /etc/init.d/zram echo ' restart)' >> /etc/init.d/zram echo ' stop' >> /etc/init.d/zram echo ' sleep 3' >> /etc/init.d/zram echo ' start' >> /etc/init.d/zram echo ' ;;' >> /etc/init.d/zram echo ' *)' >> /etc/init.d/zram echo ' echo "Usage: $0 {start|stop|restart}"' >> /etc/init.d/zram echo ' RETVAL=1' >> /etc/init.d/zram echo 'esac' >> /etc/init.d/zram echo 'exit $RETVAL' >> /etc/init.d/zram chmod +x /etc/init.d/zram update-rc.d zram defaults echo 'enable_zram' >> $COMPLETION_FILE } function random_number_generator { if grep -Fxq "random_number_generator" $COMPLETION_FILE; then return fi if [[ $INSTALLING_ON_BBB != "yes" ]]; then # On systems which are not beaglebones assume that # no hardware random number generator is available # and use the second best option apt-get -y --force-yes install haveged return fi if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then # it is assumed that docker uses the random number # generator of the host system return fi if [[ $USE_HWRNG == "yes" ]]; then apt-get -y --force-yes install rng-tools sed -i 's|#HRNGDEVICE=/dev/hwrng|HRNGDEVICE=/dev/hwrng|g' /etc/default/rng-tools else apt-get -y --force-yes install haveged fi echo 'random_number_generator' >> $COMPLETION_FILE } function configure_ssh { if grep -Fxq "configure_ssh" $COMPLETION_FILE; then return fi sed -i "s/Port 22/Port $SSH_PORT/g" /etc/ssh/sshd_config sed -i 's/PermitRootLogin without-password/PermitRootLogin no/g' /etc/ssh/sshd_config sed -i 's/X11Forwarding yes/X11Forwarding no/g' /etc/ssh/sshd_config sed -i 's/ServerKeyBits 1024/ServerKeyBits 4096/g' /etc/ssh/sshd_config sed -i 's/TCPKeepAlive yes/TCPKeepAlive no/g' /etc/ssh/sshd_config sed -i 's|HostKey /etc/ssh/ssh_host_dsa_key|#HostKey /etc/ssh/ssh_host_dsa_key|g' /etc/ssh/sshd_config sed -i 's|HostKey /etc/ssh/ssh_host_ecdsa_key|#HostKey /etc/ssh/ssh_host_ecdsa_key|g' /etc/ssh/sshd_config echo 'ClientAliveInterval 60' >> /etc/ssh/sshd_config echo 'ClientAliveCountMax 3' >> /etc/ssh/sshd_config echo 'Ciphers aes256-ctr,aes128-ctr' >> /etc/ssh/sshd_config echo 'MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1' >> /etc/ssh/sshd_config apt-get -y --force-yes install fail2ban echo 'configure_ssh' >> $COMPLETION_FILE # Don't reboot if installing within docker # random numbers will come from the host system if [[ $INSTALLED_WITHIN_DOCKER == "yes" || $INSTALLING_ON_BBB != "yes" ]]; then return fi echo '' echo '' echo ' *** Rebooting to initialise ssh settings and random number generator ***' echo '' echo " *** Reconnect via ssh on port $SSH_PORT, then run this script again ***" echo '' reboot } function regenerate_ssh_keys { if grep -Fxq "regenerate_ssh_keys" $COMPLETION_FILE; then return fi rm -f /etc/ssh/ssh_host_* dpkg-reconfigure openssh-server service ssh restart echo 'regenerate_ssh_keys' >> $COMPLETION_FILE } function configure_dns { if grep -Fxq "configure_dns" $COMPLETION_FILE; then return fi echo 'domain localdomain' > /etc/resolv.conf echo 'search localdomain' >> /etc/resolv.conf echo 'nameserver 213.73.91.35' >> /etc/resolv.conf echo 'nameserver 85.214.20.141' >> /etc/resolv.conf echo 'configure_dns' >> $COMPLETION_FILE } function set_your_domain_name { if grep -Fxq "set_your_domain_name" $COMPLETION_FILE; then return fi echo "$DOMAIN_NAME" > /etc/hostname hostname $DOMAIN_NAME sed -i "s/127.0.1.1 arm/127.0.1.1 $DOMAIN_NAME/g" /etc/hosts echo "127.0.1.1 $DOMAIN_NAME" >> /etc/hosts echo 'set_your_domain_name' >> $COMPLETION_FILE } function time_synchronisation { if grep -Fxq "time_synchronisation" $COMPLETION_FILE; then return fi #apt-get -y --force-yes install tlsdate # building tlsdate from source is a workaround because of # this bug https://github.com/ioerror/tlsdate/issues/130 apt-get -y --force-yes install build-essential automake git pkg-config autoconf libtool libssl-dev libevent-dev if [ ! -d $INSTALL_DIR ]; then mkdir $INSTALL_DIR fi cd $INSTALL_DIR git clone https://github.com/ioerror/tlsdate.git cd $INSTALL_DIR/tlsdate ./autogen.sh ./configure make make install cp /usr/local/bin/tlsdate* /usr/bin cp /usr/local/sbin/tlsdate* /usr/bin apt-get -y remove ntpdate echo '#!/bin/bash' > /usr/bin/updatedate echo 'TIMESOURCE=google.com' >> /usr/bin/updatedate echo 'TIMESOURCE2=www.ptb.de' >> /usr/bin/updatedate echo 'LOGFILE=/var/log/tlsdate.log' >> /usr/bin/updatedate echo 'TIMEOUT=5' >> /usr/bin/updatedate echo "EMAIL=$MY_USERNAME@$DOMAIN_NAME" >> /usr/bin/updatedate echo '# File which contains the previous date as a number' >> /usr/bin/updatedate echo 'BEFORE_DATE_FILE=/var/log/tlsdateprevious.txt' >> /usr/bin/updatedate echo '# File which contains the previous date as a string' >> /usr/bin/updatedate echo 'BEFORE_FULLDATE_FILE=/var/log/tlsdate.txt' >> /usr/bin/updatedate echo 'DATE_BEFORE=$(date)' >> /usr/bin/updatedate echo 'BEFORE=$(date -d "$Y-$M-$D" "+%s")' >> /usr/bin/updatedate echo 'BACKWARDS_BETWEEN=0' >> /usr/bin/updatedate echo '# If the date was previously set' >> /usr/bin/updatedate echo 'if [ -f "$BEFORE_DATE_FILE" ]; then' >> /usr/bin/updatedate echo ' BEFORE_FILE=$(cat $BEFORE_DATE_FILE)' >> /usr/bin/updatedate echo ' BEFORE_FULLDATE=$(cat $BEFORE_FULLDATE_FILE)' >> /usr/bin/updatedate echo ' # is the date going backwards?' >> /usr/bin/updatedate echo ' if (( $BEFORE_FILE > $BEFORE )); then' >> /usr/bin/updatedate echo ' echo -n "Date went backwards between tlsdate updates. " >> $LOGFILE' >> /usr/bin/updatedate echo ' echo -n "$BEFORE_FILE > $BEFORE, " >> $LOGFILE' >> /usr/bin/updatedate echo ' echo "$BEFORE_FULLDATE > $DATE_BEFORE" >> $LOGFILE' >> /usr/bin/updatedate echo ' # Send a warning email' >> /usr/bin/updatedate echo ' echo $(tail $LOGFILE -n 2) | mail -s "tlsdate anomaly" $EMAIL' >> /usr/bin/updatedate echo ' # Try another time source' >> /usr/bin/updatedate echo ' TIMESOURCE=$TIMESOURCE2' >> /usr/bin/updatedate echo ' # try running without any parameters' >> /usr/bin/updatedate echo ' tlsdate >> $LOGFILE' >> /usr/bin/updatedate echo ' BACKWARDS_BETWEEN=1' >> /usr/bin/updatedate echo ' fi' >> /usr/bin/updatedate echo 'fi' >> /usr/bin/updatedate echo '# Set the date' >> /usr/bin/updatedate echo '/usr/bin/timeout $TIMEOUT tlsdate -l -t -H $TIMESOURCE -p 443 >> $LOGFILE' >> /usr/bin/updatedate echo 'DATE_AFTER=$(date)' >> /usr/bin/updatedate echo 'AFTER=$(date -d "$Y-$M-$D" '+%s')' >> /usr/bin/updatedate echo '# After setting the date did it go backwards?' >> /usr/bin/updatedate echo 'if (( $AFTER < $BEFORE )); then' >> /usr/bin/updatedate echo ' echo "Incorrect date: $DATE_BEFORE -> $DATE_AFTER" >> $LOGFILE' >> /usr/bin/updatedate echo ' # Send a warning email' >> /usr/bin/updatedate echo ' echo $(tail $LOGFILE -n 2) | mail -s "tlsdate anomaly" $EMAIL' >> /usr/bin/updatedate echo ' # Try resetting the date from another time source' >> /usr/bin/updatedate echo ' /usr/bin/timeout $TIMEOUT tlsdate -l -t -H $TIMESOURCE2 -p 443 >> $LOGFILE' >> /usr/bin/updatedate echo ' DATE_AFTER=$(date)' >> /usr/bin/updatedate echo ' AFTER=$(date -d "$Y-$M-$D" "+%s")' >> /usr/bin/updatedate echo 'else' >> /usr/bin/updatedate echo ' echo -n $TIMESOURCE >> $LOGFILE' >> /usr/bin/updatedate echo ' if [ -f "$BEFORE_DATE_FILE" ]; then' >> /usr/bin/updatedate echo ' echo -n " " >> $LOGFILE' >> /usr/bin/updatedate echo ' echo -n $BEFORE_FILE >> $LOGFILE' >> /usr/bin/updatedate echo ' fi' >> /usr/bin/updatedate echo ' echo -n " " >> $LOGFILE' >> /usr/bin/updatedate echo ' echo -n $BEFORE >> $LOGFILE' >> /usr/bin/updatedate echo ' echo -n " " >> $LOGFILE' >> /usr/bin/updatedate echo ' echo -n $AFTER >> $LOGFILE' >> /usr/bin/updatedate echo ' echo -n " " >> $LOGFILE' >> /usr/bin/updatedate echo ' echo $DATE_AFTER >> $LOGFILE' >> /usr/bin/updatedate echo 'fi' >> /usr/bin/updatedate echo '# Log the last date' >> /usr/bin/updatedate echo 'if [[ $BACKWARDS_BETWEEN == 0 ]]; then' >> /usr/bin/updatedate echo ' echo "$AFTER" > $BEFORE_DATE_FILE' >> /usr/bin/updatedate echo ' echo "$DATE_AFTER" > $BEFORE_FULLDATE_FILE' >> /usr/bin/updatedate echo ' exit 0' >> /usr/bin/updatedate echo 'else' >> /usr/bin/updatedate echo ' exit 1' >> /usr/bin/updatedate echo 'fi' >> /usr/bin/updatedate chmod +x /usr/bin/updatedate echo '*/15 * * * * root /usr/bin/updatedate' >> /etc/crontab service cron restart echo '#!/bin/bash' > /etc/init.d/tlsdate echo '# /etc/init.d/tlsdate' >> /etc/init.d/tlsdate echo '### BEGIN INIT INFO' >> /etc/init.d/tlsdate echo '# Provides: tlsdate' >> /etc/init.d/tlsdate echo '# Required-Start: $remote_fs $syslog' >> /etc/init.d/tlsdate echo '# Required-Stop: $remote_fs $syslog' >> /etc/init.d/tlsdate echo '# Default-Start: 2 3 4 5' >> /etc/init.d/tlsdate echo '# Default-Stop: 0 1 6' >> /etc/init.d/tlsdate echo '# Short-Description: Initially calls tlsdate with the timewarp option' >> /etc/init.d/tlsdate echo '# Description: Initially calls tlsdate with the timewarp option' >> /etc/init.d/tlsdate echo '### END INIT INFO' >> /etc/init.d/tlsdate echo '# Author: Bob Mottram ' >> /etc/init.d/tlsdate echo 'PATH="/usr/local/sbin:/usr/local/bin:/usr/bin:/sbin:/usr/sbin:/bin"' >> /etc/init.d/tlsdate echo 'LOGFILE="/var/log/tlsdate.log"' >> /etc/init.d/tlsdate echo 'TLSDATECOMMAND="tlsdate --timewarp -l -H www.ptb.de -p 443 >> $LOGFILE"' >> /etc/init.d/tlsdate echo '#Start-Stop here' >> /etc/init.d/tlsdate echo 'case "$1" in' >> /etc/init.d/tlsdate echo ' start)' >> /etc/init.d/tlsdate echo ' echo "tlsdate started"' >> /etc/init.d/tlsdate echo ' $TLSDATECOMMAND' >> /etc/init.d/tlsdate echo ' ;;' >> /etc/init.d/tlsdate echo ' stop)' >> /etc/init.d/tlsdate echo ' echo "tlsdate stopped"' >> /etc/init.d/tlsdate echo ' ;;' >> /etc/init.d/tlsdate echo ' restart)' >> /etc/init.d/tlsdate echo ' echo "tlsdate restarted"' >> /etc/init.d/tlsdate echo ' $TLSDATECOMMAND' >> /etc/init.d/tlsdate echo ' ;;' >> /etc/init.d/tlsdate echo ' *)' >> /etc/init.d/tlsdate echo ' echo "Usage: $0 {start|stop|restart}"' >> /etc/init.d/tlsdate echo ' exit 1' >> /etc/init.d/tlsdate echo ' ;;' >> /etc/init.d/tlsdate echo 'esac' >> /etc/init.d/tlsdate echo 'exit 0' >> /etc/init.d/tlsdate chmod +x /etc/init.d/tlsdate update-rc.d tlsdate defaults echo 'time_synchronisation' >> $COMPLETION_FILE } function configure_firewall { if grep -Fxq "configure_firewall" $COMPLETION_FILE; then return fi if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then # docker does its own firewalling return fi iptables -P INPUT ACCEPT ip6tables -P INPUT ACCEPT iptables -F ip6tables -F iptables -X ip6tables -X iptables -P INPUT DROP ip6tables -P INPUT DROP iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Make sure incoming tcp connections are SYN packets iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP # Drop packets with incoming fragments iptables -A INPUT -f -j DROP # Drop bogons iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP # Incoming malformed NULL packets: iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP echo 'configure_firewall' >> $COMPLETION_FILE } function save_firewall_settings { iptables-save > /etc/firewall.conf ip6tables-save > /etc/firewall6.conf printf '#!/bin/sh\n' > /etc/network/if-up.d/iptables printf 'iptables-restore < /etc/firewall.conf\n' >> /etc/network/if-up.d/iptables printf 'ip6tables-restore < /etc/firewall6.conf\n' >> /etc/network/if-up.d/iptables chmod +x /etc/network/if-up.d/iptables } function configure_firewall_for_dns { if grep -Fxq "configure_firewall_for_dns" $COMPLETION_FILE; then return fi if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then # docker does its own firewalling return fi iptables -A INPUT -i eth0 -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT save_firewall_settings echo 'configure_firewall_for_dns' >> $COMPLETION_FILE } function configure_firewall_for_xmpp { if [ ! -d /etc/prosody ]; then return fi if grep -Fxq "configure_firewall_for_xmpp" $COMPLETION_FILE; then return fi if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then # docker does its own firewalling return fi iptables -A INPUT -i eth0 -p tcp --dport 5222:5223 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 5269 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 5280:5281 -j ACCEPT save_firewall_settings echo 'configure_firewall_for_xmpp' >> $COMPLETION_FILE } function configure_firewall_for_irc { if [ ! -d /etc/ngircd ]; then return fi if grep -Fxq "configure_firewall_for_irc" $COMPLETION_FILE; then return fi if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then # docker does its own firewalling return fi iptables -A INPUT -i eth0 -p tcp --dport 6697 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 9999 -j ACCEPT save_firewall_settings echo 'configure_firewall_for_irc' >> $COMPLETION_FILE } function configure_firewall_for_ftp { if grep -Fxq "configure_firewall_for_ftp" $COMPLETION_FILE; then return fi if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then # docker does its own firewalling return fi iptables -I INPUT -i eth0 -p tcp --dport 1024:65535 --sport 20:21 -j ACCEPT save_firewall_settings echo 'configure_firewall_for_ftp' >> $COMPLETION_FILE } function configure_firewall_for_web_access { if grep -Fxq "configure_firewall_for_web_access" $COMPLETION_FILE; then return fi if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then # docker does its own firewalling return fi iptables -A INPUT -i eth0 -p tcp --dport 32768:61000 --sport 80 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 32768:61000 --sport 443 -j ACCEPT save_firewall_settings echo 'configure_firewall_for_web_access' >> $COMPLETION_FILE } function configure_firewall_for_web_server { if grep -Fxq "configure_firewall_for_web_server" $COMPLETION_FILE; then return fi if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then # docker does its own firewalling return fi iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT save_firewall_settings echo 'configure_firewall_for_web_server' >> $COMPLETION_FILE } function configure_firewall_for_ssh { if grep -Fxq "configure_firewall_for_ssh" $COMPLETION_FILE; then return fi if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then # docker does its own firewalling return fi iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport $SSH_PORT -j ACCEPT save_firewall_settings echo 'configure_firewall_for_ssh' >> $COMPLETION_FILE } function configure_firewall_for_git { if grep -Fxq "configure_firewall_for_git" $COMPLETION_FILE; then return fi if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then # docker does its own firewalling return fi iptables -A INPUT -i eth0 -p tcp --dport 9418 -j ACCEPT save_firewall_settings echo 'configure_firewall_for_git' >> $COMPLETION_FILE } function configure_firewall_for_email { if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" ]]; then return fi if grep -Fxq "configure_firewall_for_email" $COMPLETION_FILE; then return fi if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then # docker does its own firewalling return fi iptables -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 587 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 465 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 993 -j ACCEPT save_firewall_settings echo 'configure_firewall_for_email' >> $COMPLETION_FILE } function configure_internet_protocol { if grep -Fxq "configure_internet_protocol" $COMPLETION_FILE; then return fi sed -i "s/#net.ipv4.tcp_syncookies=1/net.ipv4.tcp_syncookies=1/g" /etc/sysctl.conf sed -i "s/#net.ipv4.conf.all.accept_redirects = 0/net.ipv4.conf.all.accept_redirects = 0/g" /etc/sysctl.conf sed -i "s/#net.ipv6.conf.all.accept_redirects = 0/net.ipv6.conf.all.accept_redirects = 0/g" /etc/sysctl.conf sed -i "s/#net.ipv4.conf.all.send_redirects = 0/net.ipv4.conf.all.send_redirects = 0/g" /etc/sysctl.conf sed -i "s/#net.ipv4.conf.all.accept_source_route = 0/net.ipv4.conf.all.accept_source_route = 0/g" /etc/sysctl.conf sed -i "s/#net.ipv6.conf.all.accept_source_route = 0/net.ipv6.conf.all.accept_source_route = 0/g" /etc/sysctl.conf sed -i "s/#net.ipv4.conf.default.rp_filter=1/net.ipv4.conf.default.rp_filter=1/g" /etc/sysctl.conf sed -i "s/#net.ipv4.conf.all.rp_filter=1/net.ipv4.conf.all.rp_filter=1/g" /etc/sysctl.conf sed -i "s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=0/g" /etc/sysctl.conf sed -i "s/#net.ipv6.conf.all.forwarding=1/net.ipv6.conf.all.forwarding=0/g" /etc/sysctl.conf echo '# ignore pings' >> /etc/sysctl.conf echo 'net.ipv4.icmp_echo_ignore_all = 1' >> /etc/sysctl.conf echo 'net.ipv6.icmp_echo_ignore_all = 1' >> /etc/sysctl.conf echo '# disable ipv6' >> /etc/sysctl.conf echo 'net.ipv6.conf.all.disable_ipv6 = 1' >> /etc/sysctl.conf echo 'net.ipv4.tcp_synack_retries = 2' >> /etc/sysctl.conf echo 'net.ipv4.tcp_syn_retries = 1' >> /etc/sysctl.conf echo '# keepalive' >> /etc/sysctl.conf echo 'net.ipv4.tcp_keepalive_probes = 9' >> /etc/sysctl.conf echo 'net.ipv4.tcp_keepalive_intvl = 75' >> /etc/sysctl.conf echo 'net.ipv4.tcp_keepalive_time = 7200' >> /etc/sysctl.conf echo 'configure_internet_protocol' >> $COMPLETION_FILE } function script_to_make_self_signed_certificates { if grep -Fxq "script_to_make_self_signed_certificates" $COMPLETION_FILE; then return fi echo '#!/bin/bash' > /usr/bin/makecert echo 'HOSTNAME=$1' >> /usr/bin/makecert echo 'COUNTRY_CODE="US"' >> /usr/bin/makecert echo 'AREA="Free Speech Zone"' >> /usr/bin/makecert echo 'LOCATION="Freedomville"' >> /usr/bin/makecert echo 'ORGANISATION="Freedombone"' >> /usr/bin/makecert echo 'UNIT="Freedombone Unit"' >> /usr/bin/makecert echo 'if ! which openssl > /dev/null ;then' >> /usr/bin/makecert echo ' echo "$0: openssl is not installed, exiting" 1>&2' >> /usr/bin/makecert echo ' exit 1' >> /usr/bin/makecert echo 'fi' >> /usr/bin/makecert echo 'openssl req -x509 -nodes -days 3650 -sha256 -subj "/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$HOSTNAME" -newkey rsa:4096 -keyout /etc/ssl/private/$HOSTNAME.key -out /etc/ssl/certs/$HOSTNAME.crt' >> /usr/bin/makecert echo 'openssl dhparam -check -text -5 1024 -out /etc/ssl/certs/$HOSTNAME.dhparam' >> /usr/bin/makecert echo 'chmod 400 /etc/ssl/private/$HOSTNAME.key' >> /usr/bin/makecert echo 'chmod 640 /etc/ssl/certs/$HOSTNAME.crt' >> /usr/bin/makecert echo 'chmod 640 /etc/ssl/certs/$HOSTNAME.dhparam' >> /usr/bin/makecert echo 'if [ -f /etc/init.d/nginx ]; then' >> /usr/bin/makecert echo ' /etc/init.d/nginx reload' >> /usr/bin/makecert echo 'fi' >> /usr/bin/makecert echo '# add the public certificate to a separate directory' >> /usr/bin/makecert echo '# so that we can redistribute it easily' >> /usr/bin/makecert echo 'if [ ! -d /etc/ssl/mycerts ]; then' >> /usr/bin/makecert echo ' mkdir /etc/ssl/mycerts' >> /usr/bin/makecert echo 'fi' >> /usr/bin/makecert echo 'cp /etc/ssl/certs/$HOSTNAME.crt /etc/ssl/mycerts' >> /usr/bin/makecert echo '# Create a bundle of your certificates' >> /usr/bin/makecert echo 'cat /etc/ssl/mycerts/*.crt > /etc/ssl/freedombone-bundle.crt' >> /usr/bin/makecert echo 'tar -czvf /etc/ssl/freedombone-certs.tar.gz /etc/ssl/mycerts/*.crt' >> /usr/bin/makecert chmod +x /usr/bin/makecert echo 'script_to_make_self_signed_certificates' >> $COMPLETION_FILE } function configure_email { if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" ]]; then return fi if grep -Fxq "configure_email" $COMPLETION_FILE; then return fi apt-get -y remove postfix apt-get -y --force-yes install exim4 sasl2-bin swaks libnet-ssleay-perl procmail if [ ! -d /etc/exim4 ]; then echo "ERROR: Exim does not appear to have installed. $CHECK_MESSAGE" exit 48 fi # configure for Maildir format sed -i 's/MAIL_DIR/#MAIL_DIR/g' /etc/login.defs sed -i 's|#MAIL_FILE.*|MAIL_FILE Maildir/|g' /etc/login.defs if ! grep -q "export MAIL" /etc/profile; then echo 'export MAIL=~/Maildir' >> /etc/profile fi sed -i 's|pam_mail.so standard|pam_mail.so dir=~/Maildir standard|g' /etc/pam.d/login sed -i 's|pam_mail.so standard noenv|pam_mail.so dir=~/Maildir standard|g' /etc/pam.d/sshd sed -i 's|pam_mail.so nopen|pam_mail.so dir=~/Maildir nopen|g' /etc/pam.d/su echo 'dc_eximconfig_configtype="internet"' > /etc/exim4/update-exim4.conf.conf echo "dc_other_hostnames='$DOMAIN_NAME'" >> /etc/exim4/update-exim4.conf.conf echo "dc_local_interfaces=''" >> /etc/exim4/update-exim4.conf.conf echo "dc_readhost=''" >> /etc/exim4/update-exim4.conf.conf echo "dc_relay_domains=''" >> /etc/exim4/update-exim4.conf.conf echo "dc_minimaldns='false'" >> /etc/exim4/update-exim4.conf.conf echo "dc_relay_nets='192.168.1.0/24'" >> /etc/exim4/update-exim4.conf.conf echo "dc_smarthost=''" >> /etc/exim4/update-exim4.conf.conf echo "CFILEMODE='644'" >> /etc/exim4/update-exim4.conf.conf echo "dc_use_split_config='false'" >> /etc/exim4/update-exim4.conf.conf echo "dc_hide_mailname=''" >> /etc/exim4/update-exim4.conf.conf echo "dc_mailname_in_oh='true'" >> /etc/exim4/update-exim4.conf.conf echo "dc_localdelivery='maildir_home'" >> /etc/exim4/update-exim4.conf.conf update-exim4.conf sed -i "s/START=no/START=yes/g" /etc/default/saslauthd /etc/init.d/saslauthd start # make a tls certificate for email if [ ! -f /etc/ssl/private/exim.key ]; then makecert exim fi cp /etc/ssl/private/exim.key /etc/exim4 cp /etc/ssl/certs/exim.crt /etc/exim4 cp /etc/ssl/certs/exim.dhparam /etc/exim4 chown root:Debian-exim /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam chmod 640 /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam sed -i '/login_saslauthd_server/,/.endif/ s/# *//' /etc/exim4/exim4.conf.template sed -i "/.ifdef MAIN_HARDCODE_PRIMARY_HOSTNAME/i\MAIN_HARDCODE_PRIMARY_HOSTNAME = $DOMAIN_NAME\nMAIN_TLS_ENABLE = true" /etc/exim4/exim4.conf.template sed -i "s|SMTPLISTENEROPTIONS=''|SMTPLISTENEROPTIONS='-oX 465:25:587 -oP /var/run/exim4/exim.pid'|g" /etc/default/exim4 if ! grep -q "tls_on_connect_ports=465" /etc/exim4/exim4.conf.template; then sed -i '/SSL configuration for exim/i\tls_on_connect_ports=465' /etc/exim4/exim4.conf.template fi adduser $MY_USERNAME sasl addgroup Debian-exim sasl /etc/init.d/exim4 restart if [ ! -d /etc/skel/Maildir ]; then mkdir -m 700 /etc/skel/Maildir mkdir -m 700 /etc/skel/Maildir/Sent mkdir -m 700 /etc/skel/Maildir/Sent/tmp mkdir -m 700 /etc/skel/Maildir/Sent/cur mkdir -m 700 /etc/skel/Maildir/Sent/new mkdir -m 700 /etc/skel/Maildir/.learn-spam mkdir -m 700 /etc/skel/Maildir/.learn-spam/cur mkdir -m 700 /etc/skel/Maildir/.learn-spam/new mkdir -m 700 /etc/skel/Maildir/.learn-spam/tmp mkdir -m 700 /etc/skel/Maildir/.learn-ham mkdir -m 700 /etc/skel/Maildir/.learn-ham/cur mkdir -m 700 /etc/skel/Maildir/.learn-ham/new mkdir -m 700 /etc/skel/Maildir/.learn-ham/tmp ln -s /etc/skel/Maildir/.learn-spam /etc/skel/Maildir/spam ln -s /etc/skel/Maildir/.learn-ham /etc/skel/Maildir/ham fi if [ ! -d /home/$MY_USERNAME/Maildir ]; then mkdir -m 700 /home/$MY_USERNAME/Maildir mkdir -m 700 /home/$MY_USERNAME/Maildir/cur mkdir -m 700 /home/$MY_USERNAME/Maildir/tmp mkdir -m 700 /home/$MY_USERNAME/Maildir/new mkdir -m 700 /home/$MY_USERNAME/Maildir/Sent mkdir -m 700 /home/$MY_USERNAME/Maildir/Sent/cur mkdir -m 700 /home/$MY_USERNAME/Maildir/Sent/tmp mkdir -m 700 /home/$MY_USERNAME/Maildir/Sent/new mkdir -m 700 /home/$MY_USERNAME/Maildir/.learn-spam mkdir -m 700 /home/$MY_USERNAME/Maildir/.learn-spam/cur mkdir -m 700 /home/$MY_USERNAME/Maildir/.learn-spam/new mkdir -m 700 /home/$MY_USERNAME/Maildir/.learn-spam/tmp mkdir -m 700 /home/$MY_USERNAME/Maildir/.learn-ham mkdir -m 700 /home/$MY_USERNAME/Maildir/.learn-ham/cur mkdir -m 700 /home/$MY_USERNAME/Maildir/.learn-ham/new mkdir -m 700 /home/$MY_USERNAME/Maildir/.learn-ham/tmp ln -s /home/$MY_USERNAME/Maildir/.learn-spam /home/$MY_USERNAME/Maildir/spam ln -s /home/$MY_USERNAME/Maildir/.learn-ham /home/$MY_USERNAME/Maildir/ham chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/Maildir fi echo 'configure_email' >> $COMPLETION_FILE } function create_procmail { if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" ]]; then return fi if grep -Fxq "create_procmail" $COMPLETION_FILE; then return fi if [ ! -f /home/$MY_USERNAME/.procmailrc ]; then echo 'MAILDIR=$HOME/Maildir' > /home/$MY_USERNAME/.procmailrc echo 'DEFAULT=$MAILDIR/' >> /home/$MY_USERNAME/.procmailrc echo 'LOGFILE=$HOME/log/procmail.log' >> /home/$MY_USERNAME/.procmailrc echo 'LOGABSTRACT=all' >> /home/$MY_USERNAME/.procmailrc fi echo 'create_procmail' >> $COMPLETION_FILE } function spam_filtering { # NOTE: spamassassin installation currently doesn't work, sa-compile fails with a make error 23/09/2014 if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" ]]; then return fi if grep -Fxq "spam_filtering" $COMPLETION_FILE; then return fi apt-get -y --force-yes install exim4-daemon-heavy apt-get -y --force-yes install spamassassin sa-update -v sed -i 's/ENABLED=0/ENABLED=1/g' /etc/default/spamassassin sed -i 's/# spamd_address = 127.0.0.1 783/spamd_address = 127.0.0.1 783/g' /etc/exim4/exim4.conf.template # This configuration is based on https://wiki.debian.org/DebianSpamAssassin sed -i 's/local_parts = postmaster/local_parts = postmaster:abuse/g' /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt sed -i '/domains = +local_domains : +relay_to_domains/a\ set acl_m0 = rfcnames' /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt sed -i 's/accept/accept condition = ${if eq{$acl_m0}{rfcnames} {1}{0}}/g' /etc/exim4/conf.d/acl/40_exim4-config_check_data echo 'warn message = X-Spam-Score: $spam_score ($spam_bar)' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data echo ' spam = nobody:true' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data echo 'warn message = X-Spam-Flag: YES' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data echo ' spam = nobody' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data echo 'warn message = X-Spam-Report: $spam_report' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data echo ' spam = nobody' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data echo '# reject spam at high scores (> 12)' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data echo 'deny message = This message scored $spam_score spam points.' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data echo ' spam = nobody:true' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data echo ' condition = ${if >{$spam_score_int}{120}{1}{0}}' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data # procmail configuration echo '# get spamassassin to check emails' >> /home/$MY_USERNAME/.procmailrc echo ':0fw: .spamassassin.lock' >> /home/$MY_USERNAME/.procmailrc echo ' * < 256000' >> /home/$MY_USERNAME/.procmailrc echo '| spamc' >> /home/$MY_USERNAME/.procmailrc echo '# strong spam are discarded' >> /home/$MY_USERNAME/.procmailrc echo ':0' >> /home/$MY_USERNAME/.procmailrc echo ' * ^X-Spam-Level: \*\*\*\*\*\*' >> /home/$MY_USERNAME/.procmailrc echo '/dev/null' >> /home/$MY_USERNAME/.procmailrc echo '# weak spam are kept just in case - clear this out every now and then' >> /home/$MY_USERNAME/.procmailrc echo ':0' >> /home/$MY_USERNAME/.procmailrc echo ' * ^X-Spam-Level: \*\*\*\*\*' >> /home/$MY_USERNAME/.procmailrc echo '.0-spam/' >> /home/$MY_USERNAME/.procmailrc echo '# otherwise, marginal spam goes here for revision' >> /home/$MY_USERNAME/.procmailrc echo ':0' >> /home/$MY_USERNAME/.procmailrc echo ' * ^X-Spam-Level: \*\*' >> /home/$MY_USERNAME/.procmailrc echo '.spam/' >> /home/$MY_USERNAME/.procmailrc chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.procmailrc # filtering scripts echo '#!/bin/bash' > /usr/bin/filterspam echo 'USERNAME=$1' >> /usr/bin/filterspam echo 'MAILDIR=/home/$USERNAME/Maildir/.learn-spam' >> /usr/bin/filterspam echo 'if [ ! -d "$MAILDIR" ]; then' >> /usr/bin/filterspam echo ' exit' >> /usr/bin/filterspam echo 'fi' >> /usr/bin/filterspam echo 'for f in `ls $MAILDIR/cur`' >> /usr/bin/filterspam echo 'do' >> /usr/bin/filterspam echo ' spamc -L spam < "$MAILDIR/cur/$f" > /dev/null' >> /usr/bin/filterspam echo ' rm "$MAILDIR/cur/$f"' >> /usr/bin/filterspam echo 'done' >> /usr/bin/filterspam echo 'for f in `ls $MAILDIR/new`' >> /usr/bin/filterspam echo 'do' >> /usr/bin/filterspam echo ' spamc -L spam < "$MAILDIR/new/$f" > /dev/null' >> /usr/bin/filterspam echo ' rm "$MAILDIR/new/$f"' >> /usr/bin/filterspam echo 'done' >> /usr/bin/filterspam echo '#!/bin/bash' > /usr/bin/filterham echo 'USERNAME=$1' >> /usr/bin/filterham echo 'MAILDIR=/home/$USERNAME/Maildir/.learn-ham' >> /usr/bin/filterham echo 'if [ ! -d "$MAILDIR" ]; then' >> /usr/bin/filterham echo ' exit' >> /usr/bin/filterham echo 'fi' >> /usr/bin/filterham echo 'for f in `ls $MAILDIR/cur`' >> /usr/bin/filterham echo 'do' >> /usr/bin/filterham echo ' spamc -L ham < "$MAILDIR/cur/$f" > /dev/null' >> /usr/bin/filterham echo ' rm "$MAILDIR/cur/$f"' >> /usr/bin/filterham echo 'done' >> /usr/bin/filterham echo 'for f in `ls $MAILDIR/new`' >> /usr/bin/filterham echo 'do' >> /usr/bin/filterham echo ' spamc -L ham < "$MAILDIR/new/$f" > /dev/null' >> /usr/bin/filterham echo ' rm "$MAILDIR/new/$f"' >> /usr/bin/filterham echo 'done' >> /usr/bin/filterham if ! grep -q "filterspam" /etc/crontab; then echo "*/3 * * * * root /usr/bin/timeout 120 /usr/bin/filterspam $MY_USERNAME" >> /etc/crontab fi if ! grep -q "filterham" /etc/crontab; then echo "*/3 * * * * root /usr/bin/timeout 120 /usr/bin/filterham $MY_USERNAME" >> /etc/crontab fi chmod 655 /usr/bin/filterspam /usr/bin/filterham sed -i 's/# use_bayes 1/use_bayes 1/g' /etc/mail/spamassassin/local.cf sed -i 's/# bayes_auto_learn 1/bayes_auto_learn 1/g' /etc/mail/spamassassin/local.cf service spamassassin restart service exim4 restart service cron restart echo 'spam_filtering' >> $COMPLETION_FILE } function configure_imap { if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" ]]; then return fi if grep -Fxq "configure_imap" $COMPLETION_FILE; then return fi apt-get -y --force-yes install dovecot-common dovecot-imapd if [ ! -d /etc/dovecot ]; then echo "ERROR: Dovecot does not appear to have installed. $CHECK_MESSAGE" exit 48 fi if [ ! -f /etc/ssl/private/dovecot.key ]; then makecert dovecot fi chown root:dovecot /etc/ssl/certs/dovecot.* chown root:dovecot /etc/ssl/private/dovecot.* sed -i 's|#ssl = yes|ssl = yes|g' /etc/dovecot/conf.d/10-ssl.conf sed -i 's|ssl_cert = > /etc/dovecot/conf.d/10-ssl.conf sed -i 's/#listen = *, ::/listen = */g' /etc/dovecot/dovecot.conf sed -i 's/#disable_plaintext_auth = yes/disable_plaintext_auth = no/g' /etc/dovecot/conf.d/10-auth.conf sed -i 's/auth_mechanisms = plain/auth_mechanisms = plain login/g' /etc/dovecot/conf.d/10-auth.conf sed -i 's|# mail_location = maildir:~/Maildir| mail_location = maildir:~/Maildir:LAYOUT=fs|g' /etc/dovecot/conf.d/10-mail.conf echo 'configure_imap' >> $COMPLETION_FILE } function configure_gpg { if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" ]]; then return fi if grep -Fxq "configure_gpg" $COMPLETION_FILE; then return fi apt-get -y --force-yes install gnupg # if gpg keys directory was previously imported from usb if [[ $GPG_KEYS_IMPORTED == "yes" && -d /home/$MY_USERNAME/.gnupg ]]; then sed -i "s|keyserver hkp://keys.gnupg.net|keyserver $GPG_KEYSERVER|g" /home/$MY_USERNAME/.gnupg/gpg.conf MY_GPG_PUBLIC_KEY_ID=$(su -c "gpg --list-keys $MY_USERNAME@$DOMAIN_NAME | grep 'pub ' | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}'" - $MY_USERNAME) echo 'configure_gpg' >> $COMPLETION_FILE return fi if [ ! -d /home/$MY_USERNAME/.gnupg ]; then mkdir /home/$MY_USERNAME/.gnupg echo 'keyserver hkp://keys.gnupg.net' >> /home/$MY_USERNAME/.gnupg/gpg.conf echo 'keyserver-options auto-key-retrieve' >> /home/$MY_USERNAME/.gnupg/gpg.conf fi sed -i "s|keyserver hkp://keys.gnupg.net|keyserver $GPG_KEYSERVER|g" /home/$MY_USERNAME/.gnupg/gpg.conf if ! grep -q "# default preferences" /home/$MY_USERNAME/.gnupg/gpg.conf; then echo '' >> /home/$MY_USERNAME/.gnupg/gpg.conf echo '# default preferences' >> /home/$MY_USERNAME/.gnupg/gpg.conf echo 'personal-digest-preferences SHA256' >> /home/$MY_USERNAME/.gnupg/gpg.conf echo 'cert-digest-algo SHA256' >> /home/$MY_USERNAME/.gnupg/gpg.conf echo 'default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed' >> /home/$MY_USERNAME/.gnupg/gpg.conf fi chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.gnupg if [[ $MY_GPG_PUBLIC_KEY && $MY_GPG_PRIVATE_KEY ]]; then # use your existing GPG keys which were exported if [ ! -f $MY_GPG_PUBLIC_KEY ]; then echo "GPG public key file $MY_GPG_PUBLIC_KEY was not found" exit 5 fi if [ ! -f $MY_GPG_PRIVATE_KEY ]; then echo "GPG private key file $MY_GPG_PRIVATE_KEY was not found" exit 6 fi su -c "gpg --import $MY_GPG_PUBLIC_KEY" - $MY_USERNAME su -c "gpg --allow-secret-key-import --import $MY_GPG_PRIVATE_KEY" - $MY_USERNAME # for security ensure that the private key file doesn't linger around shred -zu $MY_GPG_PRIVATE_KEY MY_GPG_PUBLIC_KEY_ID=$(su -c "gpg --list-keys $MY_USERNAME@$DOMAIN_NAME | grep 'pub ' | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}'" - $MY_USERNAME) else # Generate a GPG key echo 'Key-Type: 1' > /home/$MY_USERNAME/gpg-genkey.conf echo 'Key-Length: 4096' >> /home/$MY_USERNAME/gpg-genkey.conf echo 'Subkey-Type: 1' >> /home/$MY_USERNAME/gpg-genkey.conf echo 'Subkey-Length: 4096' >> /home/$MY_USERNAME/gpg-genkey.conf echo "Name-Real: $MY_USERNAME@$DOMAIN_NAME" >> /home/$MY_USERNAME/gpg-genkey.conf echo "Name-Email: $MY_USERNAME@$DOMAIN_NAME" >> /home/$MY_USERNAME/gpg-genkey.conf echo 'Expire-Date: 0' >> /home/$MY_USERNAME/gpg-genkey.conf chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/gpg-genkey.conf su -c "gpg --batch --gen-key /home/$MY_USERNAME/gpg-genkey.conf" - $MY_USERNAME shred -zu /home/$MY_USERNAME/gpg-genkey.conf MY_GPG_PUBLIC_KEY_ID=$(su -c "gpg --list-keys $MY_USERNAME@$DOMAIN_NAME | grep 'pub ' | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}'" - $MY_USERNAME) MY_GPG_PUBLIC_KEY=/tmp/public_key.gpg su -c "gpg --output $MY_GPG_PUBLIC_KEY --armor --export $MY_GPG_PUBLIC_KEY_ID" - $MY_USERNAME fi echo 'configure_gpg' >> $COMPLETION_FILE } function encrypt_incoming_email { # encrypts incoming mail using your GPG public key # so even if an attacker gains access to the data at rest they still need # to know your GPG key password to be able to read anything if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" ]]; then return fi if grep -Fxq "encrypt_incoming_email" $COMPLETION_FILE; then return fi if [[ $GPG_ENCRYPT_STORED_EMAIL != "yes" ]]; then return fi if [ ! -f /usr/bin/gpgit.pl ]; then apt-get -y --force-yes install git libmail-gnupg-perl cd $INSTALL_DIR git clone https://github.com/mikecardwell/gpgit cd gpgit cp gpgit.pl /usr/bin fi # add a procmail rule if ! grep -q "/usr/bin/gpgit.pl" /home/$MY_USERNAME/.procmailrc; then echo '' >> /home/$MY_USERNAME/.procmailrc echo ':0 f' >> /home/$MY_USERNAME/.procmailrc echo "| /usr/bin/gpgit.pl $MY_USERNAME@$DOMAIN_NAME" >> /home/$MY_USERNAME/.procmailrc chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.procmailrc fi echo 'encrypt_incoming_email' >> $COMPLETION_FILE } function encrypt_outgoing_email { # encrypts outgoing mail using your GPG public key # so even if an attacker gains access to the data at rest they still need # to know your GPG key password to be able to read sent mail if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" ]]; then return fi if grep -Fxq "encrypt_outgoing_email" $COMPLETION_FILE; then return fi if [[ $GPG_ENCRYPT_STORED_EMAIL != "yes" ]]; then return fi echo 'sent_items_router:' > /etc/exim4/conf.d/router/170_exim4-config_encryptsent echo ' driver = accept' >> /etc/exim4/conf.d/router/170_exim4-config_encryptsent echo ' transport = sent_items_transport' >> /etc/exim4/conf.d/router/170_exim4-config_encryptsent echo ' condition = ${if !eq{$authenticated_id}{}}' >> /etc/exim4/conf.d/router/170_exim4-config_encryptsent echo ' unseen' >> /etc/exim4/conf.d/router/170_exim4-config_encryptsent echo ' no_verify' >> /etc/exim4/conf.d/router/170_exim4-config_encryptsent # TODO echo 'sent_items_transport:' echo ' driver = pipe' echo ' user = $authenticated_id' echo ' group = Debian-exim' echo ' temp_errors = *' echo ' transport_filter = /usr/bin/gpgit.pl $sender_address' echo ' command = /usr/bin/pipe2imap.pl --ssl --user master --authas $authenticated_id --passfile /etc/exim4/master_imap_password.txt --folder "Sent Items" --flags "\\seen"' echo ' log_defer_output = true' service exim4 restart echo 'encrypt_outgoing_email' >> $COMPLETION_FILE } function email_client { if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" ]]; then return fi if grep -Fxq "email_client" $COMPLETION_FILE; then return fi apt-get -y --force-yes install mutt-patched lynx abook if [ ! -f /etc/Muttrc ]; then echo "ERROR: Mutt does not appear to have installed. $CHECK_MESSAGE" exit 49 fi if [ ! -d /home/$MY_USERNAME/.mutt ]; then mkdir /home/$MY_USERNAME/.mutt fi echo "text/html; lynx -dump -width=78 -nolist %s | sed ‘s/^ //’; copiousoutput; needsterminal; nametemplate=%s.html" > /home/$MY_USERNAME/.mutt/mailcap chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.mutt echo 'set mbox_type=Maildir' >> /etc/Muttrc echo 'set folder="~/Maildir"' >> /etc/Muttrc echo 'set mask="!^\\.[^.]"' >> /etc/Muttrc echo 'set mbox="~/Maildir"' >> /etc/Muttrc echo 'set record="+Sent"' >> /etc/Muttrc echo 'set postponed="+Drafts"' >> /etc/Muttrc echo 'set trash="+Trash"' >> /etc/Muttrc echo 'set spoolfile="~/Maildir"' >> /etc/Muttrc echo 'auto_view text/x-vcard text/html text/enriched' >> /etc/Muttrc echo 'set editor="emacs"' >> /etc/Muttrc echo 'set header_cache="+.cache"' >> /etc/Muttrc echo '' >> /etc/Muttrc echo 'macro index S "=.learn-spam" "move to learn-spam"' >> /etc/Muttrc echo 'macro pager S "=.learn-spam" "move to learn-spam"' >> /etc/Muttrc echo 'macro index H "=.learn-ham" "copy to learn-ham"' >> /etc/Muttrc echo 'macro pager H "=.learn-ham" "copy to learn-ham"' >> /etc/Muttrc echo '' >> /etc/Muttrc echo '# set up the sidebar' >> /etc/Muttrc echo 'set sidebar_width=12' >> /etc/Muttrc echo 'set sidebar_visible=yes' >> /etc/Muttrc echo "set sidebar_delim='|'" >> /etc/Muttrc echo 'set sidebar_sort=yes' >> /etc/Muttrc echo '' >> /etc/Muttrc echo 'set rfc2047_parameters' >> /etc/Muttrc echo '' >> /etc/Muttrc echo '# Show inbox and sent items' >> /etc/Muttrc echo 'mailboxes = =Sent' >> /etc/Muttrc echo '' >> /etc/Muttrc echo '# Alter these colours as needed for maximum bling' >> /etc/Muttrc echo 'color sidebar_new yellow default' >> /etc/Muttrc echo 'color normal white default' >> /etc/Muttrc echo 'color hdrdefault brightcyan default' >> /etc/Muttrc echo 'color signature green default' >> /etc/Muttrc echo 'color attachment brightyellow default' >> /etc/Muttrc echo 'color quoted green default' >> /etc/Muttrc echo 'color quoted1 white default' >> /etc/Muttrc echo 'color tilde blue default' >> /etc/Muttrc echo '' >> /etc/Muttrc echo '# ctrl-n, ctrl-p to select next, prev folder' >> /etc/Muttrc echo '# ctrl-o to open selected folder' >> /etc/Muttrc echo 'bind index \Cp sidebar-prev' >> /etc/Muttrc echo 'bind index \Cn sidebar-next' >> /etc/Muttrc echo 'bind index \Co sidebar-open' >> /etc/Muttrc echo 'bind pager \Cp sidebar-prev' >> /etc/Muttrc echo 'bind pager \Cn sidebar-next' >> /etc/Muttrc echo 'bind pager \Co sidebar-open' >> /etc/Muttrc echo '' >> /etc/Muttrc echo '# ctrl-b toggles sidebar visibility' >> /etc/Muttrc echo "macro index,pager \Cb 'toggle sidebar_visible' 'toggle sidebar'" >> /etc/Muttrc echo '' >> /etc/Muttrc echo '# esc-m Mark new messages as read' >> /etc/Muttrc echo 'macro index m "T~N;WNT~O;WO\CT~T" "mark all messages read"' >> /etc/Muttrc echo '' >> /etc/Muttrc echo '# Collapsing threads' >> /etc/Muttrc echo 'macro index [ "" "collapse/uncollapse thread"' >> /etc/Muttrc echo 'macro index ] "" "collapse/uncollapse all threads"' >> /etc/Muttrc echo '' >> /etc/Muttrc echo '# threads containing new messages' >> /etc/Muttrc echo 'uncolor index "~(~N)"' >> /etc/Muttrc echo 'color index brightblue default "~(~N)"' >> /etc/Muttrc echo '' >> /etc/Muttrc echo '# new messages themselves' >> /etc/Muttrc echo 'uncolor index "~N"' >> /etc/Muttrc echo 'color index brightyellow default "~N"' >> /etc/Muttrc echo '' >> /etc/Muttrc echo '# GPG/PGP integration' >> /etc/Muttrc echo '# this set the number of seconds to keep in memory the passphrase used to encrypt/sign' >> /etc/Muttrc echo 'set pgp_timeout=1800' >> /etc/Muttrc echo '' >> /etc/Muttrc echo '# automatically sign and encrypt with PGP/MIME' >> /etc/Muttrc echo 'set pgp_autosign # autosign all outgoing mails' >> /etc/Muttrc echo 'set pgp_autoencrypt # Try to encrypt automatically' >> /etc/Muttrc echo 'set pgp_replyencrypt # autocrypt replies to crypted' >> /etc/Muttrc echo 'set pgp_replysign # autosign replies to signed' >> /etc/Muttrc echo 'set pgp_auto_decode=yes # decode attachments' >> /etc/Muttrc echo 'set fcc_clear # Keep cleartext copy of sent encrypted mail' >> /etc/Muttrc echo 'unset smime_is_default' >> /etc/Muttrc echo '' >> /etc/Muttrc echo 'set alias_file=~/.mutt-alias' >> /etc/Muttrc echo 'source ~/.mutt-alias' >> /etc/Muttrc echo 'set query_command= "abook --mutt-query \"%s\""' >> /etc/Muttrc echo 'macro index,pager A "abook --add-email-quiet" "add the sender address to abook"' >> /etc/Muttrc cp -f /etc/Muttrc /home/$MY_USERNAME/.muttrc touch /home/$MY_USERNAME/.mutt-alias chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.muttrc chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.mutt-alias echo 'email_client' >> $COMPLETION_FILE } function folders_for_mailing_lists { if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" ]]; then return fi if grep -Fxq "folders_for_mailing_lists" $COMPLETION_FILE; then return fi echo '#!/bin/bash' > /usr/bin/addmailinglist echo 'MYUSERNAME=$1' >> /usr/bin/addmailinglist echo 'MAILINGLIST=$2' >> /usr/bin/addmailinglist echo 'SUBJECTTAG=$3' >> /usr/bin/addmailinglist echo 'MUTTRC=/home/$MYUSERNAME/.muttrc' >> /usr/bin/addmailinglist echo 'PM=/home/$MYUSERNAME/.procmailrc' >> /usr/bin/addmailinglist echo 'LISTDIR=/home/$MYUSERNAME/Maildir/$MAILINGLIST' >> /usr/bin/addmailinglist echo '' >> /usr/bin/addmailinglist echo '# Exit if the list was already added' >> /usr/bin/addmailinglist echo 'if grep -q "=$MAILINGLIST" $MUTTRC; then' >> /usr/bin/addmailinglist echo ' exit 1' >> /usr/bin/addmailinglist echo 'fi' >> /usr/bin/addmailinglist echo '' >> /usr/bin/addmailinglist echo 'if ! [[ $MYUSERNAME && $MAILINGLIST && $SUBJECTTAG ]]; then' >> /usr/bin/addmailinglist echo ' echo "mailinglistsrule [user name] [mailing list name] [subject tag]"' >> /usr/bin/addmailinglist echo ' exit 1' >> /usr/bin/addmailinglist echo 'fi' >> /usr/bin/addmailinglist echo '' >> /usr/bin/addmailinglist echo 'if [ ! -d "$LISTDIR" ]; then' >> /usr/bin/addmailinglist echo ' mkdir -m 700 $LISTDIR' >> /usr/bin/addmailinglist echo ' mkdir -m 700 $LISTDIR/tmp' >> /usr/bin/addmailinglist echo ' mkdir -m 700 $LISTDIR/new' >> /usr/bin/addmailinglist echo ' mkdir -m 700 $LISTDIR/cur' >> /usr/bin/addmailinglist echo 'fi' >> /usr/bin/addmailinglist echo '' >> /usr/bin/addmailinglist echo 'chown -R $MYUSERNAME:$MYUSERNAME $LISTDIR' >> /usr/bin/addmailinglist echo 'echo "" >> $PM' >> /usr/bin/addmailinglist echo 'echo ":0" >> $PM' >> /usr/bin/addmailinglist echo 'echo " * ^Subject:.*()\[$SUBJECTTAG\]" >> $PM' >> /usr/bin/addmailinglist echo 'echo "$LISTDIR/new" >> $PM' >> /usr/bin/addmailinglist echo 'chown $MYUSERNAME:$MYUSERNAME $PM' >> /usr/bin/addmailinglist echo '' >> /usr/bin/addmailinglist echo 'if [ ! -f "$MUTTRC" ]; then' >> /usr/bin/addmailinglist echo ' cp /etc/Muttrc $MUTTRC' >> /usr/bin/addmailinglist echo ' chown $MYUSERNAME:$MYUSERNAME $MUTTRC' >> /usr/bin/addmailinglist echo 'fi' >> /usr/bin/addmailinglist echo '' >> /usr/bin/addmailinglist echo 'PROCMAILLOG=/home/$MYUSERNAME/log' >> /usr/bin/addmailinglist echo 'if [ ! -d $PROCMAILLOG ]; then' >> /usr/bin/addmailinglist echo ' mkdir $PROCMAILLOG' >> /usr/bin/addmailinglist echo ' chown -R $MYUSERNAME:$MYUSERNAME $PROCMAILLOG' >> /usr/bin/addmailinglist echo 'fi' >> /usr/bin/addmailinglist echo '' >> /usr/bin/addmailinglist echo 'MUTT_MAILBOXES=$(grep "mailboxes =" $MUTTRC)' >> /usr/bin/addmailinglist echo 'if [[ $MUTT_MAILBOXES != *$MAILINGLIST* ]]; then' >> /usr/bin/addmailinglist echo ' sed -i "s|$MUTT_MAILBOXES|$MUTT_MAILBOXES =$MAILINGLIST|g" $MUTTRC' >> /usr/bin/addmailinglist echo ' chown $MYUSERNAME:$MYUSERNAME $MUTTRC' >> /usr/bin/addmailinglist echo 'fi' >> /usr/bin/addmailinglist echo 'exit 0' >> /usr/bin/addmailinglist chmod +x /usr/bin/addmailinglist echo 'folders_for_mailing_lists' >> $COMPLETION_FILE } function folders_for_email_addresses { if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" ]]; then return fi if grep -Fxq "folders_for_email_addresses" $COMPLETION_FILE; then return fi echo '#!/bin/bash' > /usr/bin/addemailtofolder echo 'MYUSERNAME=$1' >> /usr/bin/addemailtofolder echo 'EMAILADDRESS=$2' >> /usr/bin/addemailtofolder echo 'MAILINGLIST=$3' >> /usr/bin/addemailtofolder echo 'MUTTRC=/home/$MYUSERNAME/.muttrc' >> /usr/bin/addemailtofolder echo 'PM=/home/$MYUSERNAME/.procmailrc' >> /usr/bin/addemailtofolder echo 'LISTDIR=/home/$MYUSERNAME/Maildir/$MAILINGLIST' >> /usr/bin/addemailtofolder echo '' >> /usr/bin/addemailtofolder echo 'if ! [[ $MYUSERNAME && $EMAILADDRESS && $MAILINGLIST ]]; then' >> /usr/bin/addemailtofolder echo ' echo "addemailtofolder [user name] [email address] [mailing list name]"' >> /usr/bin/addemailtofolder echo ' exit 1' >> /usr/bin/addemailtofolder echo 'fi' >> /usr/bin/addemailtofolder echo '' >> /usr/bin/addemailtofolder echo 'if [ ! -d "$LISTDIR" ]; then' >> /usr/bin/addemailtofolder echo ' mkdir -m 700 $LISTDIR' >> /usr/bin/addemailtofolder echo ' mkdir -m 700 $LISTDIR/tmp' >> /usr/bin/addemailtofolder echo ' mkdir -m 700 $LISTDIR/new' >> /usr/bin/addemailtofolder echo ' mkdir -m 700 $LISTDIR/cur' >> /usr/bin/addemailtofolder echo 'fi' >> /usr/bin/addemailtofolder echo 'chown -R $MYUSERNAME:$MYUSERNAME $LISTDIR' >> /usr/bin/addemailtofolder echo 'echo "" >> $PM' >> /usr/bin/addemailtofolder echo 'echo ":0" >> $PM' >> /usr/bin/addemailtofolder echo 'echo " * ^From: $EMAILADDRESS" >> $PM' >> /usr/bin/addemailtofolder echo 'echo "$LISTDIR/new" >> $PM' >> /usr/bin/addemailtofolder echo 'chown $MYUSERNAME:$MYUSERNAME $PM' >> /usr/bin/addemailtofolder echo 'if [ ! -f "$MUTTRC" ]; then' >> /usr/bin/addemailtofolder echo ' cp /etc/Muttrc $MUTTRC' >> /usr/bin/addemailtofolder echo ' chown $MYUSERNAME:$MYUSERNAME $MUTTRC' >> /usr/bin/addemailtofolder echo 'fi' >> /usr/bin/addemailtofolder echo 'PROCMAILLOG=/home/$MYUSERNAME/log' >> /usr/bin/addemailtofolder echo 'if [ ! -d $PROCMAILLOG ]; then' >> /usr/bin/addemailtofolder echo ' mkdir $PROCMAILLOG' >> /usr/bin/addemailtofolder echo ' chown -R $MYUSERNAME:$MYUSERNAME $PROCMAILLOG' >> /usr/bin/addemailtofolder echo 'fi' >> /usr/bin/addemailtofolder echo 'MUTT_MAILBOXES=$(grep "mailboxes =" $MUTTRC)' >> /usr/bin/addemailtofolder echo 'if [[ $MUTT_MAILBOXES != *$MAILINGLIST* ]]; then' >> /usr/bin/addemailtofolder echo ' if ! grep -q "=$MAILINGLIST" $MUTTRC; then' >> /usr/bin/addemailtofolder echo ' sed -i "s|$MUTT_MAILBOXES|$MUTT_MAILBOXES =$MAILINGLIST|g" $MUTTRC' >> /usr/bin/addemailtofolder echo ' chown $MYUSERNAME:$MYUSERNAME $MUTTRC' >> /usr/bin/addemailtofolder echo ' fi' >> /usr/bin/addemailtofolder echo 'fi' >> /usr/bin/addemailtofolder echo 'exit 0' >> /usr/bin/addemailtofolder chmod +x /usr/bin/addemailtofolder echo 'folders_for_email_addresses' >> $COMPLETION_FILE } function dynamic_dns_freedns { if grep -Fxq "dynamic_dns_freedns" $COMPLETION_FILE; then return fi echo '#!/bin/bash' > /usr/bin/dynamicdns echo '# subdomain name 1' >> /usr/bin/dynamicdns echo "wget -O - https://freedns.afraid.org/dynamic/update.php?$FREEDNS_SUBDOMAIN_CODE== >> /dev/null 2>&1" >> /usr/bin/dynamicdns echo '# add any other subdomains below' >> /usr/bin/dynamicdns chmod 600 /usr/bin/dynamicdns chmod +x /usr/bin/dynamicdns if ! grep -q "dynamicdns" /etc/crontab; then sed -i '/# m h dom mon dow user command/a\*/5 * * * * root /usr/bin/timeout 240 /usr/bin/dynamicdns' /etc/crontab fi service cron restart echo 'dynamic_dns_freedns' >> $COMPLETION_FILE } function create_public_mailing_list { if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" ]]; then return fi if grep -Fxq "create_public_mailing_list" $COMPLETION_FILE; then return fi if [ ! $PUBLIC_MAILING_LIST ]; then return fi # does the mailing list have a separate domain name? if [ ! $PUBLIC_MAILING_LIST_DOMAIN_NAME ]; then PUBLIC_MAILING_LIST_DOMAIN_NAME=$DOMAIN_NAME fi PUBLIC_MAILING_LIST_USER="mlmmj" apt-get -y --force-yes install mlmmj adduser --system $PUBLIC_MAILING_LIST_USER addgroup $PUBLIC_MAILING_LIST_USER adduser $PUBLIC_MAILING_LIST_USER $PUBLIC_MAILING_LIST_USER echo '' echo "Creating the $PUBLIC_MAILING_LIST mailing list" echo '' # create the list mlmmj-make-ml -a -L "$PUBLIC_MAILING_LIST" -c $PUBLIC_MAILING_LIST_USER echo 'SYSTEM_ALIASES_PIPE_TRANSPORT = address_pipe' > /etc/exim4/conf.d/main/000_localmacros echo "SYSTEM_ALIASES_USER = $PUBLIC_MAILING_LIST_USER" >> /etc/exim4/conf.d/main/000_localmacros echo "SYSTEM_ALIASES_GROUP = $PUBLIC_MAILING_LIST_USER" >> /etc/exim4/conf.d/main/000_localmacros # router echo 'mlmmj_router:' > /etc/exim4/conf.d/router/750_exim4-config_mlmmj echo ' debug_print = "R: mlmmj_router for $local_part@$domain"' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj echo ' driver = accept' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj echo ' domains = +mlmmj_domains' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj echo ' #require_files = MLMMJ_HOME/${lc::$local_part}' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj echo ' # Use this instead, if you dont want to give Exim rx rights to mlmmj spool.' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj echo ' # Exim will then spawn a new process running under the UID of "mlmmj".' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj echo ' require_files = mlmmj:MLMMJ_HOME/${lc::$local_part}' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj echo ' local_part_suffix = +*' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj echo ' local_part_suffix_optional' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj echo ' headers_remove = Delivered-To' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj echo ' headers_add = Delivered-To: $local_part$local_part_suffix@$domain' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj echo ' transport = mlmmj_transport' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj # transport echo 'mlmmj_transport:' > /etc/exim4/conf.d/transport/40_exim4-config_mlmmj echo ' debug_print = "T: mlmmj_transport for $local_part@$domain"' >> /etc/exim4/conf.d/transport/40_exim4-config_mlmmj echo ' driver = pipe' >> /etc/exim4/conf.d/transport/40_exim4-config_mlmmj echo ' return_path_add' >> /etc/exim4/conf.d/transport/40_exim4-config_mlmmj echo ' user = mlmmj' >> /etc/exim4/conf.d/transport/40_exim4-config_mlmmj echo ' group = mlmmj' >> /etc/exim4/conf.d/transport/40_exim4-config_mlmmj echo ' home_directory = MLMMJ_HOME' >> /etc/exim4/conf.d/transport/40_exim4-config_mlmmj echo ' current_directory = MLMMJ_HOME' >> /etc/exim4/conf.d/transport/40_exim4-config_mlmmj echo ' command = /usr/bin/mlmmj-receive -F -L MLMMJ_HOME/${lc:$local_part}' >> /etc/exim4/conf.d/transport/40_exim4-config_mlmmj if ! grep -q "MLMMJ_HOME=/var/spool/mlmmj" /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs; then sed -i '/MAIN CONFIGURATION SETTINGS/a\MLMMJ_HOME=/var/spool/mlmmj' /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs fi if ! grep -q "domainlist mlmmj_domains =" /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs; then sed -i "/MLMMJ_HOME/a\domainlist mlmmj_domains = $PUBLIC_MAILING_LIST_DOMAIN_NAME" /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs fi if ! grep -q "delay_warning_condition =" /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs; then sed -i '/domainlist mlmmj_domains =/a\delay_warning_condition = ${if match_domain{$domain}{+mlmmj_domains}{no}{yes}}' /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs fi if ! grep -q ": +mlmmj_domains" /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs; then sed -i 's/domainlist relay_to_domains = MAIN_RELAY_TO_DOMAINS/domainlist relay_to_domains = MAIN_RELAY_TO_DOMAINS : +mlmmj_domains/g' /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs fi if ! grep -q "! +mlmmj_domains" /etc/exim4/conf.d/router/200_exim4-config_primary; then sed -i 's/domains = ! +local_domains/domains = ! +mlmmj_domains : ! +local_domains/g' /etc/exim4/conf.d/router/200_exim4-config_primary fi newaliases update-exim4.conf.template -r update-exim4.conf service exim4 restart if grep -q "$PUBLIC_MAILING_LIST mailing list" /home/$MY_USERNAME/README; then echo '' >> /home/$MY_USERNAME/README echo "To subscribe to the $PUBLIC_MAILING_LIST mailing list send a" >> /home/$MY_USERNAME/README echo "cleartext email to $PUBLIC_MAILING_LIST+subscribe@$DOMAIN_NAME" >> /home/$MY_USERNAME/README fi addmailinglist $MY_USERNAME "$PUBLIC_MAILING_LIST" "$PUBLIC_MAILING_LIST" echo 'create_public_mailing_list' >> $COMPLETION_FILE } function create_private_mailing_list { if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" ]]; then return fi # This installation doesn't work, results in ruby errors # There is currently no schleuder package for Debian jessie if grep -Fxq "create_private_mailing_list" $COMPLETION_FILE; then return fi if [ ! $PRIVATE_MAILING_LIST ]; then return fi if [[ $PRIVATE_MAILING_LIST == $MY_USERNAME ]]; then echo 'The name of the private mailing list should not be the' echo 'same as your username' exit 10 fi if [ ! $MY_GPG_PUBLIC_KEY ]; then echo 'To create a private mailing list you need to specify a file' echo 'containing your exported GPG key within MY_GPG_PUBLIC_KEY at' echo 'the top of the script' exit 11 fi apt-get -y --force-yes install ruby ruby-dev ruby-gpgme libgpgme11-dev libmagic-dev gem install schleuder schleuder-fix-gem-dependencies schleuder-init-setup --gem # NOTE: this is version number sensitive and so might need changing ln -s /var/lib/gems/2.1.0/gems/schleuder-2.2.4 /var/lib/schleuder sed -i 's/#smtp_port: 25/smtp_port: 465/g' /etc/schleuder/schleuder.conf sed -i 's/#superadminaddr: root@localhost/superadminaddr: root@localhost' /etc/schleuder/schleuder.conf schleuder-newlist $PRIVATE_MAILING_LIST@$DOMAIN_NAME -realname "$PRIVATE_MAILING_LIST" -adminaddress $MY_USERNAME@$DOMAIN_NAME -initmember $MY_USERNAME@$DOMAIN_NAME -initmemberkey $MY_GPG_PUBLIC_KEY -nointeractive addemailtofolder $MY_USERNAME $PRIVATE_MAILING_LIST@$DOMAIN_NAME $PRIVATE_MAILING_LIST echo 'schleuder:' > /etc/exim4/conf.d/router/550_exim4-config_schleuder echo ' debug_print = "R: schleuder for $local_part@$domain"' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder echo ' driver = accept' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder echo ' local_part_suffix_optional' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder echo ' local_part_suffix = +* : -bounce : -sendkey' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder echo ' domains = +local_domains' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder echo ' user = schleuder' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder echo ' group = schleuder' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder echo ' require_files = schleuder:+/var/lib/schleuder/$domain/${local_part}' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder echo ' transport = schleuder_transport' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder echo 'schleuder_transport:' > /etc/exim4/conf.d/transport/30_exim4-config_schleuder echo ' debug_print = "T: schleuder_transport for $local_part@$domain"' >> /etc/exim4/conf.d/transport/30_exim4-config_schleuder echo ' driver = pipe' >> /etc/exim4/conf.d/transport/30_exim4-config_schleuder echo ' home_directory = "/var/lib/schleuder/$domain/$local_part"' >> /etc/exim4/conf.d/transport/30_exim4-config_schleuder echo ' command = "/usr/bin/schleuder $local_part@$domain"' >> /etc/exim4/conf.d/transport/30_exim4-config_schleuder chown -R schleuder:schleuder /var/lib/schleuder update-exim4.conf.template -r update-exim4.conf service exim4 restart useradd -d /var/schleuderlists -s /bin/false schleuder adduser Debian-exim schleuder usermod -a -G mail schleuder #exim -d -bt $PRIVATE_MAILING_LIST@$DOMAIN_NAME echo 'create_private_mailing_list' >> $COMPLETION_FILE } function import_email { if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" ]]; then return fi EMAIL_COMPLETE_MSG=' *** Freedombone mailbox installation is complete ***' if grep -Fxq "import_email" $COMPLETION_FILE; then if [[ $SYSTEM_TYPE == "$VARIANT_MAILBOX" ]]; then create_backup_script create_restore_script backup_to_friends_servers echo '' echo "$EMAIL_COMPLETE_MSG" if [ -d $USB_MOUNT ]; then umount $USB_MOUNT rm -rf $USB_MOUNT echo ' You can now remove the USB drive' fi exit 0 fi return fi if [ $IMPORT_MAILDIR ]; then if [ -d $IMPORT_MAILDIR ]; then echo 'Transfering email files' cp -r $IMPORT_MAILDIR /home/$MY_USERNAME chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/Maildir else echo "Email import directory $IMPORT_MAILDIR not found" exit 9 fi fi echo 'import_email' >> $COMPLETION_FILE if [[ $SYSTEM_TYPE == "$VARIANT_MAILBOX" ]]; then create_backup_script create_restore_script backup_to_friends_servers apt-get -y --force-yes autoremove # unmount any attached usb drive echo '' echo "$EMAIL_COMPLETE_MSG" echo '' if [ -d $USB_MOUNT ]; then umount $USB_MOUNT rm -rf $USB_MOUNT echo ' You can now remove the USB drive' fi exit 0 fi } function install_web_server { if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" ]]; then return fi if grep -Fxq "install_web_server" $COMPLETION_FILE; then return fi # remove apache apt-get -y remove --purge apache2 if [ -d /etc/apache2 ]; then rm -rf /etc/apache2 fi # install nginx apt-get -y --force-yes install nginx php5-fpm git if [ ! -d /etc/nginx ]; then echo "ERROR: nginx does not appear to have installed. $CHECK_MESSAGE" exit 51 fi # install a script to easily enable and disable nginx virtual hosts if [ ! -d $INSTALL_DIR ]; then mkdir $INSTALL_DIR fi cd $INSTALL_DIR git clone https://github.com/perusio/nginx_ensite cd $INSTALL_DIR/nginx_ensite cp nginx_* /usr/sbin nginx_dissite default echo 'install_web_server' >> $COMPLETION_FILE } function configure_php { sed -i "s/memory_limit = 128M/memory_limit = ${MAX_PHP_MEMORY}M/g" /etc/php5/fpm/php.ini sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g' /etc/php5/fpm/php.ini sed -i "s/memory_limit = -1/memory_limit = ${MAX_PHP_MEMORY}M/g" /etc/php5/cli/php.ini sed -i "s/upload_max_filesize = 2M/upload_max_filesize = 50M/g" /etc/php5/fpm/php.ini sed -i "s/post_max_size = 8M/post_max_size = 50M/g" /etc/php5/fpm/php.ini } function install_owncloud { if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" ]]; then return fi OWNCLOUD_COMPLETION_MSG1=" *** Freedombone $SYSTEM_TYPE is now installed ***" OWNCLOUD_COMPLETION_MSG2="Open $OWNCLOUD_DOMAIN_NAME in a web browser to complete the setup" if grep -Fxq "install_owncloud" $COMPLETION_FILE; then if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" ]]; then create_backup_script create_restore_script backup_to_friends_servers apt-get -y --force-yes autoremove # unmount any attached usb drive if [ -d $USB_MOUNT ]; then umount $USB_MOUNT rm -rf $USB_MOUNT fi echo '' echo "$OWNCLOUD_COMPLETION_MSG1" echo "$OWNCLOUD_COMPLETION_MSG2" exit 0 fi return fi # if this is exclusively a cloud setup if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" ]]; then OWNCLOUD_DOMAIN_NAME=$DOMAIN_NAME OWNCLOUD_FREEDNS_SUBDOMAIN_CODE=$FREEDNS_SUBDOMAIN_CODE fi if [ ! $OWNCLOUD_DOMAIN_NAME ]; then return fi if ! [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" ]]; then if [ ! $SYSTEM_TYPE ]; then return fi fi apt-get -y --force-yes install php5 php5-gd php-xml-parser php5-intl wget apt-get -y --force-yes install php5-sqlite php5-mysql smbclient curl libcurl3 php5-curl bzip2 if [ ! -d /var/www/$OWNCLOUD_DOMAIN_NAME ]; then mkdir /var/www/$OWNCLOUD_DOMAIN_NAME mkdir /var/www/$OWNCLOUD_DOMAIN_NAME/htdocs fi echo 'server {' > /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' listen 80;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo " server_name $OWNCLOUD_DOMAIN_NAME;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' rewrite ^ https://$server_name$request_uri? permanent;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo '}' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo 'server {' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' listen 443 ssl;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo " root /var/www/$OWNCLOUD_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo " server_name $OWNCLOUD_DOMAIN_NAME;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' ssl on;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo " ssl_certificate /etc/ssl/certs/$OWNCLOUD_DOMAIN_NAME.crt;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo " ssl_certificate_key /etc/ssl/private/$OWNCLOUD_DOMAIN_NAME.key;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo " ssl_dhparam /etc/ssl/certs/$OWNCLOUD_DOMAIN_NAME.dhparam;" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' ssl_session_timeout 5m;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' ssl_prefer_server_ciphers on;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo " ssl_protocols $SSL_PROTOCOLS; # not possible to do exclusive" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo " ssl_ciphers '$SSL_CIPHERS';" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' add_header Strict-Transport-Security max-age=15768000;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' # if you want to be able to access the site via HTTP' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' # then replace the above with the following:' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' # add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo " # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' allow all;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' client_max_body_size 10G; # set max upload size' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' client_body_buffer_size 128k;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' fastcgi_buffers 64 4K;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' index index.php;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' error_page 403 /core/templates/403.php;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' error_page 404 /core/templates/404.php;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' location = /robots.txt {' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' allow all;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' log_not_found off;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' access_log off;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' location ~ ^/(data|config|\.ht|db_structure\.xml|README) {' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' deny all;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' location / {' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' # The following 2 rules are only needed with webfinger' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' rewrite ^/.well-known/host-meta /public.php?service=host-meta last;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' try_files $uri $uri/ index.php;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' location ~ ^(.+?\.php)(/.*)?$ {' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' try_files $1 =404;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' fastcgi_index index.php;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' include fastcgi_params;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' fastcgi_param SCRIPT_FILENAME $document_root$1;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' fastcgi_param PATH_INFO $2;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' fastcgi_param HTTPS on;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' # Optional: set long EXPIRES header on static assets' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' location ~* ^.+\.(jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' expires 30d;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo " # Optional: Don't log access to assets" >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' access_log off;' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME echo '}' >> /etc/nginx/sites-available/$OWNCLOUD_DOMAIN_NAME configure_php if [ ! -f /etc/ssl/private/$OWNCLOUD_DOMAIN_NAME.key ]; then makecert $OWNCLOUD_DOMAIN_NAME fi # download owncloud cd $INSTALL_DIR if [ ! -f $INSTALL_DIR/$OWNCLOUD_ARCHIVE ]; then wget $OWNCLOUD_DOWNLOAD fi if [ ! -f $INSTALL_DIR/$OWNCLOUD_ARCHIVE ]; then echo 'Owncloud could not be downloaded. Check that it exists at ' echo $OWNCLOUD_DOWNLOAD echo 'And if neccessary update the version number and hash within this script' exit 18 fi # Check that the hash is correct CHECKSUM=$(sha256sum $OWNCLOUD_ARCHIVE | awk -F ' ' '{print $1}') if [[ $CHECKSUM != $OWNCLOUD_HASH ]]; then echo 'The sha256 hash of the owncloud download is incorrect. Possibly the file may have been tampered with. Check the hash on the Owncloud web site.' echo $CHECKSUM echo $OWNCLOUD_HASH exit 19 fi tar -xjf $OWNCLOUD_ARCHIVE echo 'Copying files...' cp -r owncloud/* /var/www/$OWNCLOUD_DOMAIN_NAME/htdocs chown -R www-data:www-data /var/www/$OWNCLOUD_DOMAIN_NAME/htdocs/apps chown -R www-data:www-data /var/www/$OWNCLOUD_DOMAIN_NAME/htdocs/config chown www-data:www-data /var/www/$OWNCLOUD_DOMAIN_NAME/htdocs nginx_ensite $OWNCLOUD_DOMAIN_NAME service php5-fpm restart service nginx restart # update the dynamic DNS if [ $OWNCLOUD_FREEDNS_SUBDOMAIN_CODE ]; then if [[ $OWNCLOUD_FREEDNS_SUBDOMAIN_CODE != $FREEDNS_SUBDOMAIN_CODE ]]; then if ! grep -q "$OWNCLOUD_DOMAIN_NAME" /usr/bin/dynamicdns; then echo "# $OWNCLOUD_DOMAIN_NAME" >> /usr/bin/dynamicdns echo "wget -O - https://freedns.afraid.org/dynamic/update.php?$OWNCLOUD_FREEDNS_SUBDOMAIN_CODE== >> /dev/null 2>&1" >> /usr/bin/dynamicdns fi fi else echo 'WARNING: No freeDNS subdomain code given for Owncloud. It is assumed that you are using some other dynamic DNS provider.' fi OWNCLOUD_INSTALLED="yes" echo 'install_owncloud' >> $COMPLETION_FILE if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" ]]; then create_backup_script create_restore_script backup_to_friends_servers apt-get -y --force-yes autoremove # unmount any attached usb drive if [ -d $USB_MOUNT ]; then umount $USB_MOUNT rm -rf $USB_MOUNT fi echo '' echo "$OWNCLOUD_COMPLETION_MSG1" echo "$OWNCLOUD_COMPLETION_MSG2" exit 0 fi } function install_xmpp { if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" ]]; then return fi if grep -Fxq "install_xmpp" $COMPLETION_FILE; then return fi apt-get -y --force-yes install prosody if [ ! -d /etc/prosody ]; then echo "ERROR: prosody does not appear to have installed. $CHECK_MESSAGE" exit 52 fi if [ ! -f "/etc/ssl/private/xmpp.key" ]; then makecert xmpp fi chown prosody:prosody /etc/ssl/private/xmpp.key chown prosody:prosody /etc/ssl/certs/xmpp.* cp -a /etc/prosody/conf.avail/example.com.cfg.lua /etc/prosody/conf.avail/xmpp.cfg.lua sed -i 's|/etc/prosody/certs/example.com.key|/etc/ssl/private/xmpp.key|g' /etc/prosody/conf.avail/xmpp.cfg.lua sed -i 's|/etc/prosody/certs/example.com.crt|/etc/ssl/certs/xmpp.crt|g' /etc/prosody/conf.avail/xmpp.cfg.lua if ! grep -q "xmpp.dhparam" /etc/prosody/conf.avail/xmpp.cfg.lua; then sed -i '/certificate =/a\ dhparam = "/etc/ssl/certs/xmpp.dhparam";' /etc/prosody/conf.avail/xmpp.cfg.lua fi sed -i "s/example.com/$DOMAIN_NAME/g" /etc/prosody/conf.avail/xmpp.cfg.lua sed -i 's/enabled = false -- Remove this line to enable this host//g' /etc/prosody/conf.avail/xmpp.cfg.lua if ! grep -q "modules_enabled" /etc/prosody/conf.avail/xmpp.cfg.lua; then echo '' >> /etc/prosody/conf.avail/xmpp.cfg.lua echo 'modules_enabled = {' >> /etc/prosody/conf.avail/xmpp.cfg.lua echo ' "bosh"; -- Enable mod_bosh' >> /etc/prosody/conf.avail/xmpp.cfg.lua echo ' "tls"; -- Enable mod_tls' >> /etc/prosody/conf.avail/xmpp.cfg.lua echo ' "saslauth"; -- Enable mod_saslauth' >> /etc/prosody/conf.avail/xmpp.cfg.lua echo '}' >> /etc/prosody/conf.avail/xmpp.cfg.lua echo '' >> /etc/prosody/conf.avail/xmpp.cfg.lua echo 'c2s_require_encryption = true' >> /etc/prosody/conf.avail/xmpp.cfg.lua echo 's2s_require_encryption = true' >> /etc/prosody/conf.avail/xmpp.cfg.lua echo 'allow_unencrypted_plain_auth = false' >> /etc/prosody/conf.avail/xmpp.cfg.lua fi ln -sf /etc/prosody/conf.avail/xmpp.cfg.lua /etc/prosody/conf.d/xmpp.cfg.lua sed -i 's|/etc/prosody/certs/localhost.key|/etc/ssl/private/xmpp.key|g' /etc/prosody/prosody.cfg.lua sed -i 's|/etc/prosody/certs/localhost.crt|/etc/ssl/certs/xmpp.crt|g' /etc/prosody/prosody.cfg.lua if ! grep -q "xmpp.dhparam" /etc/prosody/prosody.cfg.lua; then sed -i '/certificate =/a\ dhparam = "/etc/ssl/certs/xmpp.dhparam";' /etc/prosody/prosody.cfg.lua fi sed -i 's/c2s_require_encryption = false/c2s_require_encryption = true/g' /etc/prosody/prosody.cfg.lua if ! grep -q "s2s_require_encryption" /etc/prosody/prosody.cfg.lua; then sed -i '/c2s_require_encryption/a\s2s_require_encryption = true' /etc/prosody/prosody.cfg.lua fi if ! grep -q "allow_unencrypted_plain_auth" /etc/prosody/prosody.cfg.lua; then echo 'allow_unencrypted_plain_auth = false' >> /etc/prosody/conf.avail/xmpp.cfg.lua fi sed -i 's/--"bosh";/"bosh";/g' /etc/prosody/prosody.cfg.lua sed -i 's/authentication = "internal_plain"/authentication = "internal_hashed"/g' /etc/prosody/prosody.cfg.lua sed -i 's/enabled = false -- Remove this line to enable this host//g' /etc/prosody/prosody.cfg.lua sed -i 's/example.com/$DOMAIN_NAME/g' /etc/prosody/prosody.cfg.lua service prosody restart touch /home/$MY_USERNAME/README if ! grep -q "Your XMPP password is" /home/$MY_USERNAME/README; then XMPP_PASSWORD=$(openssl rand -base64 8) prosodyctl register $MY_USERNAME $DOMAIN_NAME $XMPP_PASSWORD echo "Your XMPP password is: $XMPP_PASSWORD" >> /home/$MY_USERNAME/README echo 'You can change it with: ' >> /home/$MY_USERNAME/README echo '' >> /home/$MY_USERNAME/README echo " prosodyctl passwd $MY_USERNAME@$DOMAIN_NAME" >> /home/$MY_USERNAME/README chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README fi echo 'install_xmpp' >> $COMPLETION_FILE } function install_irc_server { if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" ]]; then return fi if grep -Fxq "install_irc_server" $COMPLETION_FILE; then return fi apt-get -y --force-yes install ngircd if [ ! -d /etc/ngircd ]; then echo "ERROR: ngircd does not appear to have installed. $CHECK_MESSAGE" exit 53 fi if [ ! "/etc/ssl/private/ngircd.key" ]; then makecert ngircd fi echo '**************************************************' > /etc/ngircd/motd echo '* F R E E D O M B O N E I R C *' >> /etc/ngircd/motd echo '* *' >> /etc/ngircd/motd echo '* Freedom in the Cloud *' >> /etc/ngircd/motd echo '**************************************************' >> /etc/ngircd/motd sed -i 's|MotdFile = /etc/ngircd/ngircd.motd|MotdFile = /etc/ngircd/motd|g' /etc/ngircd/ngircd.conf sed -i "s/irc@irc.example.com/$MY_USERNAME@$DOMAIN_NAME/g" /etc/ngircd/ngircd.conf sed -i "s/irc.example.net/$DOMAIN_NAME/g" /etc/ngircd/ngircd.conf sed -i "s|Yet another IRC Server running on Debian GNU/Linux|IRC Server of $DOMAIN_NAME|g" /etc/ngircd/ngircd.conf sed -i 's/;Password = wealllikedebian/Password =/g' /etc/ngircd/ngircd.conf sed -i 's|;CertFile = /etc/ssl/certs/server.crt|CertFile = /etc/ssl/certs/ngircd.crt|g' /etc/ngircd/ngircd.conf sed -i 's|;DHFile = /etc/ngircd/dhparams.pem|DHFile = /etc/ssl/certs/ngircd.dhparam|g' /etc/ngircd/ngircd.conf sed -i 's|;KeyFile = /etc/ssl/private/server.key|KeyFile = /etc/ssl/private/ngircd.key|g' /etc/ngircd/ngircd.conf sed -i 's/;Ports = 6697, 9999/Ports = 6697, 9999/g' /etc/ngircd/ngircd.conf sed -i 's/;Name = #ngircd/Name = #freedombone/g' /etc/ngircd/ngircd.conf sed -i 's/;Topic = Our ngircd testing channel/Topic = Freedombone chat channel/g' /etc/ngircd/ngircd.conf sed -i 's/;MaxUsers = 23/MaxUsers = 23/g' /etc/ngircd/ngircd.conf sed -i 's|;KeyFile = /etc/ngircd/#chan.key|KeyFile = /etc/ngircd/#freedombone.key|g' /etc/ngircd/ngircd.conf sed -i 's/;CloakHost = cloaked.host/CloakHost = cloaked.host/g' /etc/ngircd/ngircd.conf IRC_SALT=$(openssl rand -base64 32) IRC_OPERATOR_PASSWORD=$(openssl rand -base64 8) sed -i "s|;CloakHostSalt = abcdefghijklmnopqrstuvwxyz|CloakHostSalt = $IRC_SALT|g" /etc/ngircd/ngircd.conf sed -i 's/;ConnectIPv4 = yes/ConnectIPv4 = yes/g' /etc/ngircd/ngircd.conf sed -i 's/;MorePrivacy = no/MorePrivacy = yes/g' /etc/ngircd/ngircd.conf sed -i 's/;RequireAuthPing = no/RequireAuthPing = no/g' /etc/ngircd/ngircd.conf sed -i "s/;Name = TheOper/Name = $MY_USERNAME/g" /etc/ngircd/ngircd.conf sed -i "s/;Password = ThePwd/Password = $IRC_OPERATOR_PASSWORD/g" /etc/ngircd/ngircd.conf service ngircd restart echo 'install_irc_server' >> $COMPLETION_FILE } function install_wiki { if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" ]]; then return fi if grep -Fxq "install_wiki" $COMPLETION_FILE; then return fi # if everything is being installed or if this is exclusively a writer setup if [[ ! $SYSTEM_TYPE || $SYSTEM_TYPE == "$VARIANT_WRITER" ]]; then WIKI_DOMAIN_NAME=$DOMAIN_NAME WIKI_FREEDNS_SUBDOMAIN_CODE=$FREEDNS_SUBDOMAIN_CODE fi if [ ! $WIKI_DOMAIN_NAME ]; then return fi apt-get -y --force-yes install php5 php5-gd php-xml-parser php5-intl wget apt-get -y --force-yes install php5-sqlite php5-mysql smbclient curl libcurl3 php5-curl bzip2 if [ ! -d /var/www/$WIKI_DOMAIN_NAME ]; then mkdir /var/www/$WIKI_DOMAIN_NAME fi if [ ! -d /var/www/$WIKI_DOMAIN_NAME/htdocs ]; then mkdir /var/www/$WIKI_DOMAIN_NAME/htdocs fi if [ ! -f /etc/ssl/private/$WIKI_DOMAIN_NAME.key ]; then makecert $WIKI_DOMAIN_NAME fi # download the archive cd $INSTALL_DIR if [ ! -f $INSTALL_DIR/$WIKI_ARCHIVE ]; then wget $WIKI_DOWNLOAD fi if [ ! -f $INSTALL_DIR/$WIKI_ARCHIVE ]; then echo 'Dokuwiki could not be downloaded. Check that it exists at ' echo $WIKI_DOWNLOAD echo 'And if neccessary update the version number and hash within this script' exit 18 fi # Check that the hash is correct CHECKSUM=$(sha256sum $WIKI_ARCHIVE | awk -F ' ' '{print $1}') if [[ $CHECKSUM != $WIKI_HASH ]]; then echo 'The sha256 hash of the Dokuwiki download is incorrect. Possibly the file may have been tampered with. Check the hash on the Dokuwiki web site.' echo $CHECKSUM echo $WIKI_HASH exit 21 fi tar -xzvf $WIKI_ARCHIVE cd dokuwiki-* mv * /var/www/$WIKI_DOMAIN_NAME/htdocs/ chmod -R 755 /var/www/$WIKI_DOMAIN_NAME/htdocs chown -R www-data:www-data /var/www/$WIKI_DOMAIN_NAME/htdocs if ! grep -q "video/ogg" /var/www/$WIKI_DOMAIN_NAME/htdocs/conf/mime.conf; then echo 'ogv video/ogg' >> /var/www/$WIKI_DOMAIN_NAME/htdocs/conf/mime.conf echo 'mp4 video/mp4' >> /var/www/$WIKI_DOMAIN_NAME/htdocs/conf/mime.conf echo 'webm video/webm' >> /var/www/$WIKI_DOMAIN_NAME/htdocs/conf/mime.conf fi echo 'server {' > /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' listen 80;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo " server_name $WIKI_DOMAIN_NAME;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo " root /var/www/$WIKI_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo " error_log /var/www/$WIKI_DOMAIN_NAME/error.log;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' index index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' # Uncomment this if you need to redirect HTTP to HTTPS' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' #rewrite ^ https://$server_name$request_uri? permanent;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' location / {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' location ~ \.php$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' fastcgi_index index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' include fastcgi_params;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo '}' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo 'server {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' listen 443 ssl;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo " root /var/www/$WIKI_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo " server_name $WIKI_DOMAIN_NAME;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo " error_log /var/www/$WIKI_DOMAIN_NAME/error_ssl.log;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' index index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' charset utf-8;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' client_max_body_size 20m;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' client_body_buffer_size 128k;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' ssl on;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo " ssl_certificate /etc/ssl/certs/$WIKI_DOMAIN_NAME.crt;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo " ssl_certificate_key /etc/ssl/private/$WIKI_DOMAIN_NAME.key;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo " ssl_dhparam /etc/ssl/certs/$WIKI_DOMAIN_NAME.dhparam;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' ssl_session_timeout 5m;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' ssl_prefer_server_ciphers on;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' ssl_session_cache builtin:1000 shared:SSL:10m;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo " ssl_protocols $SSL_PROTOCOLS; # not possible to do exclusive" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo " ssl_ciphers '$SSL_CIPHERS';" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' location / {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo " # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' allow all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' # statically serve these file types when possible' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' # otherwise fall back to front controller' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' # allow browser to cache them' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' expires 30d;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' # block these file types' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' # or a unix socket' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' location ~* \.php$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' # Zero-day exploit defense.' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo " # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo " # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo " # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo " # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' # With php5-cgi alone:' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' # With php5-fpm:' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' include fastcgi_params;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' fastcgi_index index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' # deny access to all dot files' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' location ~ /\. {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' #deny access to store' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' location ~ /store {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' location ~ /(data|conf|bin|inc)/ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' location ~ /\.ht {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME echo '}' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME configure_php nginx_ensite $WIKI_DOMAIN_NAME service php5-fpm restart service nginx restart # update the dynamic DNS if [ $WIKI_FREEDNS_SUBDOMAIN_CODE ]; then if [[ $WIKI_FREEDNS_SUBDOMAIN_CODE != $FREEDNS_SUBDOMAIN_CODE ]]; then if ! grep -q "$WIKI_DOMAIN_NAME" /usr/bin/dynamicdns; then echo "# $WIKI_DOMAIN_NAME" >> /usr/bin/dynamicdns echo "wget -O - https://freedns.afraid.org/dynamic/update.php?$WIKI_FREEDNS_SUBDOMAIN_CODE== >> /dev/null 2>&1" >> /usr/bin/dynamicdns fi fi else echo 'WARNING: No freeDNS subdomain code given for wiki installation. It is assumed that you are using some other dynamic DNS provider.' fi # add some post-install instructions if ! grep -q "Once you have set up the wiki" /home/$MY_USERNAME/README; then echo '' >> /home/$MY_USERNAME/README echo 'Once you have set up the wiki then remove the install file:' >> /home/$MY_USERNAME/README echo '' >> /home/$MY_USERNAME/README echo " rm /var/www/$WIKI_DOMAIN_NAME/htdocs/install.php" >> /home/$MY_USERNAME/README chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README fi WIKI_INSTALLED="yes" echo 'install_wiki' >> $COMPLETION_FILE } function install_blog { if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" ]]; then return fi if grep -Fxq "install_blog" $COMPLETION_FILE; then return fi # if everything is being installed or if this is exclusively a writer setup if [[ ! $SYSTEM_TYPE || $SYSTEM_TYPE == "$VARIANT_WRITER" ]]; then WIKI_DOMAIN_NAME=$DOMAIN_NAME WIKI_FREEDNS_SUBDOMAIN_CODE=$FREEDNS_SUBDOMAIN_CODE fi if [ ! $WIKI_DOMAIN_NAME ]; then return fi apt-get -y --force-yes install unzip # download mnml-blog cd $INSTALL_DIR rm -f latest wget $WIKI_MNML_BLOG_ADDON if [ ! -f "$INSTALL_DIR/latest" ]; then echo 'Dokuwiki mnml-blog addon could not be downloaded. Check the Dokuwiki web site and alter WIKI_MNML_BLOG_ADDON at the top of this script as needed.' exit 21 fi mv latest $WIKI_MNML_BLOG_ADDON_ARCHIVE # Check that the mnml-blog download hash is correct CHECKSUM=$(sha256sum $WIKI_MNML_BLOG_ADDON_ARCHIVE | awk -F ' ' '{print $1}') if [[ $CHECKSUM != $WIKI_MNML_BLOG_ADDON_HASH ]]; then echo 'The sha256 hash of the mnml-blog download is incorrect. Possibly the file may have been tampered with. Check the hash on the Dokuwiki mnmlblog web site and alter WIKI_MNML_BLOG_ADDON_HASH if needed.' echo $CHECKSUM echo $WIKI_MNML_BLOG_ADDON_HASH exit 22 fi # download blogTNG wget $WIKI_BLOGTNG_ADDON if [ ! -f "$INSTALL_DIR/master" ]; then echo 'Dokuwiki blogTNG addon could not be downloaded. Check the Dokuwiki web site and alter WIKI_BLOGTNG_ADDON at the top of this script as needed.' exit 23 fi mv master $WIKI_BLOGTNG_ADDON_ARCHIVE # Check that the blogTNG hash is correct CHECKSUM=$(sha256sum $WIKI_BLOGTNG_ADDON_ARCHIVE | awk -F ' ' '{print $1}') if [[ $CHECKSUM != $WIKI_BLOGTNG_ADDON_HASH ]]; then echo 'The sha256 hash of the blogTNG download is incorrect. Possibly the file may have been tampered with. Check the hash on the Dokuwiki blogTNG web site and alter WIKI_BLOGTNG_ADDON_HASH if needed.' echo $CHECKSUM echo $WIKI_BLOGTNG_ADDON_HASH exit 24 fi # download dokuwiki sqlite plugin wget $WIKI_SQLITE_ADDON if [ ! -f "$INSTALL_DIR/master" ]; then echo 'Dokuwiki sqlite addon could not be downloaded. Check the Dokuwiki web site and alter WIKI_SQLITE_ADDON at the top of this script as needed.' exit 25 fi mv master $WIKI_SQLITE_ADDON_ARCHIVE # Check that the sqlite plugin hash is correct CHECKSUM=$(sha256sum $WIKI_SQLITE_ADDON_ARCHIVE | awk -F ' ' '{print $1}') if [[ $CHECKSUM != $WIKI_SQLITE_ADDON_HASH ]]; then echo 'The sha256 hash of the Dokuwiki sqlite download is incorrect. Possibly the file may have been tampered with. Check the hash on the Dokuwiki sqlite plugin web site and alter WIKI_SQLITE_ADDON_HASH if needed.' echo $CHECKSUM echo $WIKI_SQLITE_ADDON_HASH exit 26 fi # install dokuwiki sqlite plugin tar -xzvf $WIKI_SQLITE_ADDON_ARCHIVE if [ -d "$INSTALL_DIR/sqlite" ]; then rm -rf $INSTALL_DIR/sqlite fi mv $WIKI_SQLITE_ADDON_NAME sqlite cp -r sqlite /var/www/$WIKI_DOMAIN_NAME/htdocs/lib/plugins/ # install blogTNG if [ -d "$INSTALL_DIR/$WIKI_BLOGTNG_ADDON_NAME" ]; then rm -rf $INSTALL_DIR/$WIKI_BLOGTNG_ADDON_NAME fi unzip $WIKI_BLOGTNG_ADDON_ARCHIVE if [ -d "$INSTALL_DIR/blogtng" ]; then rm -rf $INSTALL_DIR/blogtng fi mv $WIKI_BLOGTNG_ADDON_NAME blogtng cp -r blogtng /var/www/$WIKI_DOMAIN_NAME/htdocs/lib/plugins/ # install mnml-blog tar -xzvf $WIKI_MNML_BLOG_ADDON_ARCHIVE cp -r mnml-blog /var/www/$WIKI_DOMAIN_NAME/htdocs/lib/tpl cp -r /var/www/$WIKI_DOMAIN_NAME/htdocs/lib/tpl/mnml-blog/blogtng-tpl/* /var/www/$WIKI_DOMAIN_NAME/htdocs/lib/plugins/blogtng/tpl/default/ # make a "freedombone" template so that if the default template gets # changed after an upgrade to blogTNG this doesn't necessarily change the appearance cp -r /var/www/$WIKI_DOMAIN_NAME/htdocs/lib/plugins/blogtng/tpl/default /var/www/$WIKI_DOMAIN_NAME/htdocs/lib/plugins/blogtng/tpl/freedombone if ! grep -q "To set up your blog" /home/$MY_USERNAME/README; then echo '' >> /home/$MY_USERNAME/README echo "To set up your blog go to" >> /home/$MY_USERNAME/README echo "https://$WIKI_DOMAIN_NAME/doku.php?id=start&do=admin&page=config" >> /home/$MY_USERNAME/README echo 'and set the template to mnml-blog' >> /home/$MY_USERNAME/README echo '' >> /home/$MY_USERNAME/README echo 'To edit things on the right hand sidebar (links, blogroll, etc) go to' >> /home/$MY_USERNAME/README echo "https://$WIKI_DOMAIN_NAME/doku.php?id=wiki:navigation_sidebar" >> /home/$MY_USERNAME/README echo 'and edit the page' >> /home/$MY_USERNAME/README echo '' >> /home/$MY_USERNAME/README echo 'To edit things to a header bar (home, contacts, etc) go to' >> /home/$MY_USERNAME/README echo "https://$WIKI_DOMAIN_NAME/doku.php?id=wiki:navigation_header" >> /home/$MY_USERNAME/README echo 'and select the "create this page" at the bottom.' >> /home/$MY_USERNAME/README echo 'You can then add somethething like:' >> /home/$MY_USERNAME/README echo ' * [[:start|Home]]' >> /home/$MY_USERNAME/README echo ' * [[:wiki|Wiki]]' >> /home/$MY_USERNAME/README echo ' * [[:contact|Contact]]' >> /home/$MY_USERNAME/README echo "Go to https://$WIKI_DOMAIN_NAME/doku.php?id=start&do=admin&page=config" >> /home/$MY_USERNAME/README echo 'and check "Show header navigation" to ensure that the header shows' >> /home/$MY_USERNAME/README chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README fi echo 'install_blog' >> $COMPLETION_FILE } function get_mariadb_password { if [ -f /home/$MY_USERNAME/README ]; then if grep -q "MariaDB password" /home/$MY_USERNAME/README; then MARIADB_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "MariaDB password" | awk -F ':' '{print $2}' | sed 's/^ *//') fi fi } function get_mariadb_gnusocial_admin_password { if [ -f /home/$MY_USERNAME/README ]; then if grep -q "MariaDB gnusocial admin password" /home/$MY_USERNAME/README; then MICROBLOG_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "MariaDB gnusocial admin password" | awk -F ':' '{print $2}' | sed 's/^ *//') fi fi } function get_mariadb_redmatrix_admin_password { if [ -f /home/$MY_USERNAME/README ]; then if grep -q "MariaDB Red Matrix admin password" /home/$MY_USERNAME/README; then REDMATRIX_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "MariaDB Red Matrix admin password" | awk -F ':' '{print $2}' | sed 's/^ *//') fi fi } function install_mariadb { if grep -Fxq "install_mariadb" $COMPLETION_FILE; then return fi apt-get -y --force-yes install python-software-properties debconf-utils apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 0xcbcb082a1bb943db add-apt-repository 'deb http://mariadb.biz.net.id//repo/10.1/debian sid main' apt-get -y --force-yes install software-properties-common apt-get -y update get_mariadb_password if [ ! $MARIADB_PASSWORD ]; then MARIADB_PASSWORD=$(openssl rand -base64 32) echo '' >> /home/$MY_USERNAME/README echo "Your MariaDB password is: $MARIADB_PASSWORD" >> /home/$MY_USERNAME/README echo '' >> /home/$MY_USERNAME/README chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README fi debconf-set-selections <<< "mariadb-server mariadb-server/root_password password $MARIADB_PASSWORD" debconf-set-selections <<< "mariadb-server mariadb-server/root_password_again password $MARIADB_PASSWORD" apt-get -y --force-yes install mariadb-server if [ ! -d /etc/mysql ]; then echo "ERROR: mariadb-server does not appear to have installed. $CHECK_MESSAGE" exit 54 fi mysqladmin -u root password "$MARIADB_PASSWORD" echo 'install_mariadb' >> $COMPLETION_FILE } function install_gnu_social { if grep -Fxq "install_gnu_social" $COMPLETION_FILE; then return fi if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MEDIA" ]]; then return fi if [ ! $MICROBLOG_DOMAIN_NAME ]; then return fi install_mariadb get_mariadb_password apt-get -y --force-yes install php-gettext php5-curl php5-gd php5-mysql git if [ ! -d /var/www/$MICROBLOG_DOMAIN_NAME ]; then mkdir /var/www/$MICROBLOG_DOMAIN_NAME fi if [ ! -d /var/www/$MICROBLOG_DOMAIN_NAME/htdocs ]; then mkdir /var/www/$MICROBLOG_DOMAIN_NAME/htdocs fi if [ ! -f /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/index.php ]; then cd $INSTALL_DIR git clone $MICROBLOG_REPO gnusocial rm -rf /var/www/$MICROBLOG_DOMAIN_NAME/htdocs mv gnusocial /var/www/$MICROBLOG_DOMAIN_NAME/htdocs chmod a+w /var/www/$MICROBLOG_DOMAIN_NAME/htdocs chown www-data:www-data /var/www/$MICROBLOG_DOMAIN_NAME/htdocs chmod a+w /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/avatar chmod a+w /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/background chmod a+w /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/file chmod +x /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/scripts/maildaemon.php fi get_mariadb_gnusocial_admin_password if [ ! $MICROBLOG_ADMIN_PASSWORD ]; then MICROBLOG_ADMIN_PASSWORD=$(openssl rand -base64 32) echo '' >> /home/$MY_USERNAME/README echo "Your MariaDB gnusocial admin password is: $MICROBLOG_ADMIN_PASSWORD" >> /home/$MY_USERNAME/README echo '' >> /home/$MY_USERNAME/README chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README fi echo "create database gnusocial; CREATE USER 'gnusocialadmin'@'localhost' IDENTIFIED BY '$MICROBLOG_ADMIN_PASSWORD'; GRANT ALL PRIVILEGES ON gnusocial.* TO 'gnusocialadmin'@'localhost'; quit" > $INSTALL_DIR/batch.sql chmod 600 $INSTALL_DIR/batch.sql mysql -u root --password="$MARIADB_PASSWORD" < $INSTALL_DIR/batch.sql shred -zu $INSTALL_DIR/batch.sql if [ ! -f "/etc/aliases" ]; then touch /etc/aliases fi if grep -q "www-data: root" /etc/aliases; then echo 'www-data: root' >> /etc/aliases fi if grep -q "/var/www/$MICROBLOG_DOMAIN_NAME/htdocs/scripts/maildaemon.php" /etc/aliases; then echo "*: /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/scripts/maildaemon.php" >> /etc/aliases fi newaliases # update the dynamic DNS if [ $MICROBLOG_FREEDNS_SUBDOMAIN_CODE ]; then if [[ $MICROBLOG_FREEDNS_SUBDOMAIN_CODE != $FREEDNS_SUBDOMAIN_CODE ]]; then if ! grep -q "$MICROBLOG_DOMAIN_NAME" /usr/bin/dynamicdns; then echo "# $MICROBLOG_DOMAIN_NAME" >> /usr/bin/dynamicdns echo "wget -O - https://freedns.afraid.org/dynamic/update.php?$MICROBLOG_FREEDNS_SUBDOMAIN_CODE== >> /dev/null 2>&1" >> /usr/bin/dynamicdns fi fi else echo 'WARNING: No freeDNS subdomain code given for microblog. It is assumed that you are using some other dynamic DNS provider.' fi echo 'server {' > /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' listen 80;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo " server_name $MICROBLOG_DOMAIN_NAME;" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo " root /var/www/$MICROBLOG_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo " error_log /var/www/$MICROBLOG_DOMAIN_NAME/error.log;" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' index index.php;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' rewrite ^ https://$server_name$request_uri? permanent;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo '}' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo 'server {' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' listen 443 ssl;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo " root /var/www/$MICROBLOG_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo " server_name $MICROBLOG_DOMAIN_NAME;" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo " error_log /var/www/$MICROBLOG_DOMAIN_NAME/error_ssl.log;" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' index index.php;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' charset utf-8;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' client_max_body_size 20m;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' client_body_buffer_size 128k;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' ssl on;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo " ssl_certificate /etc/ssl/certs/$MICROBLOG_DOMAIN_NAME.crt;" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo " ssl_certificate_key /etc/ssl/private/$MICROBLOG_DOMAIN_NAME.key;" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo " ssl_dhparam /etc/ssl/certs/$MICROBLOG_DOMAIN_NAME.dhparam;" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' ssl_session_timeout 5m;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' ssl_prefer_server_ciphers on;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' ssl_session_cache builtin:1000 shared:SSL:10m;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo " ssl_protocols $SSL_PROTOCOLS; # not possible to do exclusive" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo " ssl_ciphers '$SSL_CIPHERS';" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' add_header Strict-Transport-Security max-age=15768000;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' location / {' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo " # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' allow all;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' # statically serve these file types when possible' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' # otherwise fall back to front controller' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' # allow browser to cache them' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' expires 30d;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' # block these file types' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' deny all;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' # or a unix socket' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' location ~* \.php$ {' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' # Zero-day exploit defense.' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo " # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo " # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo " # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo " # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' # With php5-cgi alone:' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' # With php5-fpm:' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' include fastcgi_params;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' fastcgi_index index.php;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' # deny access to all dot files' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' location ~ /\. {' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' deny all;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' location ~ /\.ht {' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' deny all;' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME echo '}' >> /etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME configure_php if [ ! -f /etc/ssl/private/$MICROBLOG_DOMAIN_NAME.key ]; then makecert $MICROBLOG_DOMAIN_NAME fi nginx_ensite $MICROBLOG_DOMAIN_NAME service php5-fpm restart service nginx restart # some post-install instructions for the user if ! grep -q "To set up your microblog" /home/$MY_USERNAME/README; then echo '' >> /home/$MY_USERNAME/README echo "To set up your microblog go to" >> /home/$MY_USERNAME/README echo "https://$MICROBLOG_DOMAIN_NAME/install.php" >> /home/$MY_USERNAME/README echo 'and enter the following settings:' >> /home/$MY_USERNAME/README echo ' - Set a name for the site' >> /home/$MY_USERNAME/README echo ' - Server SSL: enable' >> /home/$MY_USERNAME/README echo ' - Hostname: localhost' >> /home/$MY_USERNAME/README echo ' - Type: MySql/MariaDB' >> /home/$MY_USERNAME/README echo ' - Name: gnusocial' >> /home/$MY_USERNAME/README echo ' - DB username: gnusocialadmin' >> /home/$MY_USERNAME/README echo " - DB Password; $MICROBLOG_ADMIN_PASSWORD" >> /home/$MY_USERNAME/README echo " - Administrator nickname: $MY_USERNAME" >> /home/$MY_USERNAME/README echo " - Administrator password: $MICROBLOG_ADMIN_PASSWORD" >> /home/$MY_USERNAME/README echo ' - Subscribe to announcements: ticked' >> /home/$MY_USERNAME/README echo ' - Site profile: Community' >> /home/$MY_USERNAME/README echo '' >> /home/$MY_USERNAME/README echo "Navigate to https://$MICROBLOG_DOMAIN_NAME and you can then " >> /home/$MY_USERNAME/README echo 'complete the configuration via the *Admin* section on the header' >> /home/$MY_USERNAME/README echo 'bar. Some recommended admin settings are:' >> /home/$MY_USERNAME/README echo '' >> /home/$MY_USERNAME/README echo 'Under the *Site* settings:' >> /home/$MY_USERNAME/README echo ' Text limit: 140' >> /home/$MY_USERNAME/README echo ' Dupe Limit: 60000' >> /home/$MY_USERNAME/README echo '' >> /home/$MY_USERNAME/README echo 'Under the *User* settings:' >> /home/$MY_USERNAME/README echo ' Bio limit: 1000' >> /home/$MY_USERNAME/README echo '' >> /home/$MY_USERNAME/README echo 'Under the *Access* settings:' >> /home/$MY_USERNAME/README echo ' /Invite only/ ticked' >> /home/$MY_USERNAME/README echo '' >> /home/$MY_USERNAME/README chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README fi MICROBLOG_INSTALLED="yes" echo 'install_gnu_social' >> $COMPLETION_FILE } function install_redmatrix { if grep -Fxq "install_redmatrix" $COMPLETION_FILE; then return fi if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MEDIA" ]]; then return fi # if this is exclusively a writer setup if [[ $SYSTEM_TYPE == "$VARIANT_SOCIAL" ]]; then REDMATRIX_DOMAIN_NAME=$DOMAIN_NAME REDMATRIX_FREEDNS_SUBDOMAIN_CODE=$FREEDNS_SUBDOMAIN_CODE fi if [ ! $REDMATRIX_DOMAIN_NAME ]; then return fi install_mariadb get_mariadb_password apt-get -y --force-yes install php5-common php5-cli php5-curl php5-gd php5-mysql php5-mcrypt git git if [ ! -d /var/www/$REDMATRIX_DOMAIN_NAME ]; then mkdir /var/www/$REDMATRIX_DOMAIN_NAME fi if [ ! -d /var/www/$REDMATRIX_DOMAIN_NAME/htdocs ]; then mkdir /var/www/$REDMATRIX_DOMAIN_NAME/htdocs fi if [ ! -f /var/www/$REDMATRIX_DOMAIN_NAME/htdocs/index.php ]; then cd $INSTALL_DIR git clone $REDMATRIX_REPO redmatrix rm -rf /var/www/$REDMATRIX_DOMAIN_NAME/htdocs mv redmatrix /var/www/$REDMATRIX_DOMAIN_NAME/htdocs chown -R www-data:www-data /var/www/$REDMATRIX_DOMAIN_NAME/htdocs git clone $REDMATRIX_ADDONS_REPO /var/www/$REDMATRIX_DOMAIN_NAME/htdocs/addon fi get_mariadb_redmatrix_admin_password if [ ! $REDMATRIX_ADMIN_PASSWORD ]; then REDMATRIX_ADMIN_PASSWORD=$(openssl rand -base64 32) echo '' >> /home/$MY_USERNAME/README echo "Your MariaDB Red Matrix admin password is: $REDMATRIX_ADMIN_PASSWORD" >> /home/$MY_USERNAME/README echo '' >> /home/$MY_USERNAME/README chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README fi echo "create database redmatrix; CREATE USER 'redmatrixadmin'@'localhost' IDENTIFIED BY '$REDMATRIX_ADMIN_PASSWORD'; GRANT ALL PRIVILEGES ON redmatrix.* TO 'redmatrixadmin'@'localhost'; quit" > $INSTALL_DIR/batch.sql chmod 600 $INSTALL_DIR/batch.sql mysql -u root --password="$MARIADB_PASSWORD" < $INSTALL_DIR/batch.sql shred -zu $INSTALL_DIR/batch.sql if ! grep -q "/var/www/$REDMATRIX_DOMAIN_NAME/htdocs" /etc/crontab; then echo "12,22,32,42,52 * * * * root cd /var/www/$REDMATRIX_DOMAIN_NAME/htdocs; /usr/bin/timeout 240 /usr/bin/php include/poller.php" >> /etc/crontab fi # update the dynamic DNS if [ $REDMATRIX_FREEDNS_SUBDOMAIN_CODE ]; then if [[ $REDMATRIX_FREEDNS_SUBDOMAIN_CODE != $FREEDNS_SUBDOMAIN_CODE ]]; then if ! grep -q "$REDMATRIX_DOMAIN_NAME" /usr/bin/dynamicdns; then echo "# $REDMATRIX_DOMAIN_NAME" >> /usr/bin/dynamicdns echo "wget -O - https://freedns.afraid.org/dynamic/update.php?$REDMATRIX_FREEDNS_SUBDOMAIN_CODE== >> /dev/null 2>&1" >> /usr/bin/dynamicdns fi fi else echo 'WARNING: No freeDNS code given for Red Matrix. It is assumed that you are using some other dynamic DNS provider.' fi echo 'server {' > /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' listen 80;' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo " server_name $REDMATRIX_DOMAIN_NAME;" >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo " root /var/www/$REDMATRIX_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo " error_log /var/www/$REDMATRIX_DOMAIN_NAME/error.log;" >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' index index.php;' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' rewrite ^ https://$server_name$request_uri? permanent;' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo '}' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo 'server {' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' listen 443 ssl;' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo " root /var/www/$REDMATRIX_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo " server_name $REDMATRIX_DOMAIN_NAME;" >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo " error_log /var/www/$REDMATRIX_DOMAIN_NAME/error_ssl.log;" >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' index index.php;' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' charset utf-8;' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' client_max_body_size 20m;' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' client_body_buffer_size 128k;' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' ssl on;' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo " ssl_certificate /etc/ssl/certs/$REDMATRIX_DOMAIN_NAME.crt;" >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo " ssl_certificate_key /etc/ssl/private/$REDMATRIX_DOMAIN_NAME.key;" >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo " ssl_dhparam /etc/ssl/certs/$REDMATRIX_DOMAIN_NAME.dhparam;" >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' ssl_session_timeout 5m;' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' ssl_prefer_server_ciphers on;' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' ssl_session_cache builtin:1000 shared:SSL:10m;' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo " ssl_protocols $SSL_PROTOCOLS; # not possible to do exclusive" >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo " ssl_ciphers '$SSL_CIPHERS';" >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' add_header Strict-Transport-Security max-age=15768000;' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' location / {' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo " # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' allow all;' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' # statically serve these file types when possible' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' # otherwise fall back to front controller' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' # allow browser to cache them' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' expires 30d;' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' # block these file types' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' deny all;' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' # or a unix socket' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' location ~* \.php$ {' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' # Zero-day exploit defense.' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo " # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo " # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo " # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo " # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' # With php5-cgi alone:' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' # With php5-fpm:' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' include fastcgi_params;' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' fastcgi_index index.php;' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' fastcgi_read_timeout 300;' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' # deny access to all dot files' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' location ~ /\. {' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' deny all;' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' location ~ /\.ht {' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' deny all;' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME echo '}' >> /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME configure_php if [ ! -f /etc/ssl/private/$REDMATRIX_DOMAIN_NAME.key ]; then makecert $REDMATRIX_DOMAIN_NAME fi if [ ! -d /var/www/$REDMATRIX_DOMAIN_NAME/htdocs/view/tpl/smarty3 ]; then mkdir /var/www/$REDMATRIX_DOMAIN_NAME/htdocs/view/tpl/smarty3 fi if [ ! -d /var/www/$REDMATRIX_DOMAIN_NAME/htdocs/store/[data] ]; then mkdir /var/www/$REDMATRIX_DOMAIN_NAME/htdocs/store/[data] fi if [ ! -d /var/www/$REDMATRIX_DOMAIN_NAME/htdocs/store/[data]/smarty3 ]; then mkdir /var/www/$REDMATRIX_DOMAIN_NAME/htdocs/store/[data]/smarty3 chmod 777 /var/www/$REDMATRIX_DOMAIN_NAME/htdocs/store/[data]/smarty3 fi chmod 777 /var/www/$REDMATRIX_DOMAIN_NAME/htdocs/view/tpl chmod 777 /var/www/$REDMATRIX_DOMAIN_NAME/htdocs/view/tpl/smarty3 nginx_ensite $REDMATRIX_DOMAIN_NAME service php5-fpm restart service nginx restart service cron restart # some post-install instructions for the user if ! grep -q "To set up your Red Matrix" /home/$MY_USERNAME/README; then echo '' >> /home/$MY_USERNAME/README echo "To set up your Red Matrix site go to" >> /home/$MY_USERNAME/README echo "https://$REDMATRIX_DOMAIN_NAME" >> /home/$MY_USERNAME/README echo 'You will need to have a non self-signed SSL certificate in order' >> /home/$MY_USERNAME/README echo "to use Red Matrix. Put the public certificate in /etc/ssl/certs/$REDMATRIX_DOMAIN_NAME.crt" >> /home/$MY_USERNAME/README echo "and the private certificate in /etc/ssl/private/$REDMATRIX_DOMAIN_NAME.key." >> /home/$MY_USERNAME/README echo 'If there is an intermediate certificate needed (such as with StartSSL) then' >> /home/$MY_USERNAME/README echo 'this will need to be concatenated onto the end of the crt file, like this:' >> /home/$MY_USERNAME/README echo '' >> /home/$MY_USERNAME/README echo " cat /etc/ssl/certs/$REDMATRIX_DOMAIN_NAME.crt /etc/ssl/chains/startssl-sub.class1.server.ca.pem > /etc/ssl/certs/$REDMATRIX_DOMAIN_NAME.bundle.crt" >> /home/$MY_USERNAME/README echo '' >> /home/$MY_USERNAME/README echo "Then change ssl_certificate to /etc/ssl/certs/$REDMATRIX_DOMAIN_NAME.bundle.crt" >> /home/$MY_USERNAME/README echo "within /etc/nginx/sites-available/$REDMATRIX_DOMAIN_NAME" >> /home/$MY_USERNAME/README echo '' >> /home/$MY_USERNAME/README chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README fi REDMATRIX_INSTALLED="yes" echo 'install_redmatrix' >> $COMPLETION_FILE } function script_for_attaching_usb_drive { if grep -Fxq "script_for_attaching_usb_drive" $COMPLETION_FILE; then return fi echo '#!/bin/bash' > /usr/bin/attach-music echo "if [ -d $USB_MOUNT ]; then" >> /usr/bin/attach-music echo " umount $USB_MOUNT" >> /usr/bin/attach-music echo 'fi' >> /usr/bin/attach-music echo "if [ ! -d $USB_MOUNT ]; then" >> /usr/bin/attach-music echo " mkdir $USB_MOUNT" >> /usr/bin/attach-music echo 'fi' >> /usr/bin/attach-music echo "mount /dev/sda1 $USB_MOUNT" >> /usr/bin/attach-music echo "chown root:root $USB_MOUNT" >> /usr/bin/attach-music echo "chown -R minidlna:minidlna $USB_MOUNT/*" >> /usr/bin/attach-music echo 'minidlnad -R' >> /usr/bin/attach-music chmod +x /usr/bin/attach-music ln -s /usr/bin/attach-music /usr/bin/attach-usb ln -s /usr/bin/attach-music /usr/bin/attach-videos ln -s /usr/bin/attach-music /usr/bin/attach-pictures ln -s /usr/bin/attach-music /usr/bin/attach-media echo '#!/bin/bash' > /usr/bin/remove-music echo "if [ -d $USB_MOUNT ]; then" >> /usr/bin/remove-music echo " umount $USB_MOUNT" >> /usr/bin/remove-music echo " rm -rf $USB_MOUNT" >> /usr/bin/remove-music echo 'fi' >> /usr/bin/remove-music chmod +x /usr/bin/remove-music ln -s /usr/bin/remove-music /usr/bin/detach-music ln -s /usr/bin/remove-music /usr/bin/detach-usb ln -s /usr/bin/remove-music /usr/bin/remove-usb ln -s /usr/bin/remove-music /usr/bin/detach-media ln -s /usr/bin/remove-music /usr/bin/remove-media ln -s /usr/bin/remove-music /usr/bin/detach-videos ln -s /usr/bin/remove-music /usr/bin/remove-videos ln -s /usr/bin/remove-music /usr/bin/detach-pictures ln -s /usr/bin/remove-music /usr/bin/remove-pictures echo 'script_for_attaching_usb_drive' >> $COMPLETION_FILE } function install_dlna_server { if grep -Fxq "install_dlna_server" $COMPLETION_FILE; then return fi if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" ]]; then return fi apt-get -y --force-yes install minidlna if [ ! -f /etc/minidlna.conf ]; then echo "ERROR: minidlna does not appear to have installed. $CHECK_MESSAGE" exit 55 fi sed -i "s|media_dir=/var/lib/minidlna|media_dir=A,/home/$MY_USERNAME/Music|g" /etc/minidlna.conf if ! grep -q "/home/$MY_USERNAME/Pictures" /etc/minidlna.conf; then echo "media_dir=P,/home/$MY_USERNAME/Pictures" >> /etc/minidlna.conf fi if ! grep -q "/home/$MY_USERNAME/Videos" /etc/minidlna.conf; then echo "media_dir=V,/home/$MY_USERNAME/Videos" >> /etc/minidlna.conf fi if ! grep -q "$USB_MOUNT/Music" /etc/minidlna.conf; then echo "media_dir=A,$USB_MOUNT/Music" >> /etc/minidlna.conf fi if ! grep -q "$USB_MOUNT/Pictures" /etc/minidlna.conf; then echo "media_dir=P,$USB_MOUNT/Pictures" >> /etc/minidlna.conf fi if ! grep -q "$USB_MOUNT/Videos" /etc/minidlna.conf; then echo "media_dir=V,$USB_MOUNT/Videos" >> /etc/minidlna.conf fi sed -i 's/#root_container=./root_container=B/g' /etc/minidlna.conf sed -i 's/#network_interface=/network_interface=eth0/g' /etc/minidlna.conf sed -i 's/#friendly_name=/friendly_name="Freedombone Media"/g' /etc/minidlna.conf sed -i 's|#db_dir=/var/cache/minidlna|db_dir=/var/cache/minidlna|g' /etc/minidlna.conf sed -i 's/#inotify=yes/inotify=yes/g' /etc/minidlna.conf sed -i "s|#presentation_url=/|presentation_url=http://localhost:8200|g" /etc/minidlna.conf service minidlna force-reload service minidlna reload echo 'install_dlna_server' >> $COMPLETION_FILE } function install_mediagoblin { # These instructions don't work and need fixing return if grep -Fxq "install_mediagoblin" $COMPLETION_FILE; then return fi if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" ]]; then return fi # if this is exclusively a writer setup if [[ $SYSTEM_TYPE == "$VARIANT_MEDIA" ]]; then MEDIAGOBLIN_DOMAIN_NAME=$DOMAIN_NAME MEDIAGOBLIN_FREEDNS_SUBDOMAIN_CODE=$FREEDNS_SUBDOMAIN_CODE fi if [ ! $MEDIAGOBLIN_DOMAIN_NAME ]; then return fi apt-get -y --force-yes install git-core python python-dev python-lxml python-imaging python-virtualenv apt-get -y --force-yes install python-gst-1.0 libjpeg8-dev sqlite3 libapache2-mod-fcgid gstreamer1.0-plugins-base gstreamer1.0-plugins-bad gstreamer1.0-plugins-good gstreamer1.0-plugins-ugly gstreamer1.0-libav python-numpy python-scipy libsndfile1-dev apt-get -y --force-yes install postgresql postgresql-client python-psycopg2 python-pip autotools-dev automake sudo -u postgres createuser -A -D mediagoblin sudo -u postgres createdb -E UNICODE -O mediagoblin mediagoblin adduser --system mediagoblin MEDIAGOBLIN_DOMAIN_ROOT="/srv/$MEDIAGOBLIN_DOMAIN_NAME" MEDIAGOBLIN_PATH="$MEDIAGOBLIN_DOMAIN_ROOT/mediagoblin" MEDIAGOBLIN_PATH_BIN="$MEDIAGOBLIN_PATH/mediagoblin/bin" if [ ! -d $MEDIAGOBLIN_DOMAIN_ROOT ]; then mkdir -p $MEDIAGOBLIN_DOMAIN_ROOT fi cd $MEDIAGOBLIN_DOMAIN_ROOT chown -hR mediagoblin: $MEDIAGOBLIN_DOMAIN_ROOT su -c "cd $MEDIAGOBLIN_DOMAIN_ROOT; git clone git://gitorious.org/mediagoblin/mediagoblin.git" - mediagoblin su -c "cd $MEDIAGOBLIN_PATH; git submodule init" - mediagoblin su -c "cd $MEDIAGOBLIN_PATH; git submodule update" - mediagoblin #su -c 'cd $MEDIAGOBLIN_PATH; ./experimental-bootstrap.sh' - mediagoblin #su -c 'cd $MEDIAGOBLIN_PATH; ./configure' - mediagoblin #su -c 'cd $MEDIAGOBLIN_PATH; make' - mediagoblin su -c "cd $MEDIAGOBLIN_PATH; virtualenv --system-site-packages ." - mediagoblin su -c "cd $MEDIAGOBLIN_PATH_BIN; python setup.py develop" - mediagoblin su -c "cp $MEDIAGOBLIN_PATH/mediagoblin.ini $MEDIAGOBLIN_PATH/mediagoblin_local.ini" - mediagoblin su -c "cp $MEDIAGOBLIN_PATH/paste.ini $MEDIAGOBLIN_PATH/paste_local.ini" - mediagoblin # update the dynamic DNS if [ $MEDIAGOBLIN_FREEDNS_SUBDOMAIN_CODE ]; then if [[ $MEDIAGOBLIN_FREEDNS_SUBDOMAIN_CODE != $FREEDNS_SUBDOMAIN_CODE ]]; then if ! grep -q "$MEDIAGOBLIN_DOMAIN_NAME" /usr/bin/dynamicdns; then echo "# $MEDIAGOBLIN_DOMAIN_NAME" >> /usr/bin/dynamicdns echo "wget -O - https://freedns.afraid.org/dynamic/update.php?$MEDIAGOBLIN_FREEDNS_SUBDOMAIN_CODE== >> /dev/null 2>&1" >> /usr/bin/dynamicdns fi fi else echo 'WARNING: No freeDNS subdomain code given for mediagoblin. It is assumed that you are using some other dynamic DNS provider.' fi # see https://wiki.mediagoblin.org/Deployment / uwsgi with configs apt-get -y --force-yes install uwsgi uwsgi-plugin-python nginx-full supervisor echo 'server {' > /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo ' include /etc/nginx/mime.types;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo ' autoindex off;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo ' default_type application/octet-stream;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo ' sendfile on;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo ' # Gzip' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo ' gzip on;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo ' gzip_min_length 1024;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo ' gzip_buffers 4 32k;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo ' gzip_types text/plain text/html application/x-javascript text/javascript text/xml text/css;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo " server_name $MEDIAGOBLIN_DOMAIN_NAME;" >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo ' access_log /var/log/nginx/mg.access.log;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo ' error_log /var/log/nginx/mg.error.log error;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo ' #include global/common.conf;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo ' client_max_body_size 100m;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo " root $MEDIAGOBLIN_PATH/;" >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo '' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo ' location /mgoblin_static/ {' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo " alias $MEDIAGOBLIN_PATH/static/;" >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo ' location /mgoblin_media/ {' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo " alias $MEDIAGOBL_PATH/media/public/;" >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo ' location /theme_static/ {' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo ' location /plugin_static/ {' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo ' location / {' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo ' uwsgi_pass unix:///tmp/mg.uwsgi.sock;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo ' uwsgi_param SCRIPT_NAME "/";' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo ' include uwsgi_params;' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo ' }' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo '}' >> /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME echo 'uwsgi:' > /etc/uwsgi/apps-available/mg.yaml echo ' uid: mediagoblin' >> /etc/uwsgi/apps-available/mg.yaml echo ' gid: mediagoblin' >> /etc/uwsgi/apps-available/mg.yaml echo ' socket: /tmp/mg.uwsgi.sock' >> /etc/uwsgi/apps-available/mg.yaml echo ' chown-socket: www-data:www-data' >> /etc/uwsgi/apps-available/mg.yaml echo ' plugins: python' >> /etc/uwsgi/apps-available/mg.yaml echo " home: $MEDIAGOBLIN_PATH/" >> /etc/uwsgi/apps-available/mg.yaml echo " chdir: $MEDIAGOBLIN_PATH/" >> /etc/uwsgi/apps-available/mg.yaml echo " ini-paste: $MEDIAGOBLIN_PATH/paste_local.ini" >> /etc/uwsgi/apps-available/mg.yaml echo '[program:celery]' > /etc/supervisor/conf.d/mediagoblin.conf echo "command=$MEDIAGOBLIN_PATH_BIN/celery worker -l debug" >> /etc/supervisor/conf.d/mediagoblin.conf echo '' >> /etc/supervisor/conf.d/mediagoblin.conf echo '; Set PYTHONPATH to the directory containing celeryconfig.py' >> /etc/supervisor/conf.d/mediagoblin.conf echo "environment=PYTHONPATH='$MEDIAGOBLIN_PATH',MEDIAGOBLIN_CONFIG='$MEDIAGOBLIN_PATH/mediagoblin_local.ini',CELERY_CONFIG_MODULE='mediagoblin.init.celery.from_celery'" >> /etc/supervisor/conf.d/mediagoblin.conf echo '' >> /etc/supervisor/conf.d/mediagoblin.conf echo "directory=$MEDIAGOBLIN_PATH/" >> /etc/supervisor/conf.d/mediagoblin.conf echo 'user=mediagoblin' >> /etc/supervisor/conf.d/mediagoblin.conf echo 'numprocs=1' >> /etc/supervisor/conf.d/mediagoblin.conf echo '; uncomment below to enable logs saving' >> /etc/supervisor/conf.d/mediagoblin.conf echo ";stdout_logfile=/var/log/nginx/celeryd_stdout.log" >> /etc/supervisor/conf.d/mediagoblin.conf echo ";stderr_logfile=/var/log/nginx/celeryd_stderr.log" >> /etc/supervisor/conf.d/mediagoblin.conf echo 'autostart=true' >> /etc/supervisor/conf.d/mediagoblin.conf echo 'autorestart=false' >> /etc/supervisor/conf.d/mediagoblin.conf echo 'startsecs=10' >> /etc/supervisor/conf.d/mediagoblin.conf echo '' >> /etc/supervisor/conf.d/mediagoblin.conf echo '; Need to wait for currently executing tasks to finish at shutdown.' >> /etc/supervisor/conf.d/mediagoblin.conf echo '; Increase this if you have very long running tasks.' >> /etc/supervisor/conf.d/mediagoblin.conf echo 'stopwaitsecs = 600' >> /etc/supervisor/conf.d/mediagoblin.conf ln -s /etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME /etc/nginx/sites-enabled/ ln -s /etc/uwsgi/apps-available/mg.yaml /etc/uwsgi/apps-enabled/ # change settings sed -i "s/notice@mediagoblin.example.org/$MY_USERNAME@$DOMAIN_NAME/g" $MEDIAGOBLIN_PATH/mediagoblin_local.ini sed -i 's/email_debug_mode = true/email_debug_mode = false/g' $MEDIAGOBLIN_PATH/mediagoblin_local.ini sed -i 's|# sql_engine = postgresql:///mediagoblin|sql_engine = postgresql:///mediagoblin|g' $MEDIAGOBLIN_PATH/mediagoblin_local.ini # add extra media types if grep -q "media_types.audio" $MEDIAGOBLIN_PATH/mediagoblin_local.ini; then echo '[[mediagoblin.media_types.audio]]' >> $MEDIAGOBLIN_PATH/mediagoblin_local.ini fi if grep -q "media_types.video" $MEDIAGOBLIN_PATH/mediagoblin_local.ini; then echo '[[mediagoblin.media_types.video]]' >> $MEDIAGOBLIN_PATH/mediagoblin_local.ini fi if grep -q "media_types.stl" $MEDIAGOBLIN_PATH/mediagoblin_local.ini; then echo '[[mediagoblin.media_types.stl]]' >> $MEDIAGOBLIN_PATH/mediagoblin_local.ini fi su -c "cd $MEDIAGOBLIN_PATH_BIN; pip install scikits.audiolab" - mediagoblin su -c "cd $MEDIAGOBLIN_PATH_BIN; gmg dbupdate" - mediagoblin # systemd init scripts echo '[Unit]' > /etc/systemd/system/gmg.service echo 'Description=Mediagoblin' >> /etc/systemd/system/gmg.service echo '' >> /etc/systemd/system/gmg.service echo '[Service]' >> /etc/systemd/system/gmg.service echo 'Type=forking' >> /etc/systemd/system/gmg.service echo 'User=mediagoblin' >> /etc/systemd/system/gmg.service echo 'Group=mediagoblin' >> /etc/systemd/system/gmg.service echo '#Environment=CELERY_ALWAYS_EAGER=true' >> /etc/systemd/system/gmg.service echo 'Environment=CELERY_ALWAYS_EAGER=false' >> /etc/systemd/system/gmg.service echo "WorkingDirectory=$MEDIAGOBLIN_PATH" >> /etc/systemd/system/gmg.service echo "ExecStart=$MEDIAGOBLIN_PATH_BIN/paster serve $MEDIAGOBLIN_PATH/paste_local.ini --pid-file=/var/run/mediagoblin/paster.pid --log-file=/var/log/nginx/mediagoblin_paster.log --daemon --server-name=fcgi fcgi_host=127.0.0.1 fcgi_port=26543" >> /etc/systemd/system/gmg.service echo "ExecStop=$MEDIAGOBLIN_PATH_BIN/paster serve --pid-file=/var/run/mediagoblin/paster.pid $MEDIAGOBLIN_PATH/paste_local.ini stop" >> /etc/systemd/system/gmg.service echo 'PIDFile=/var/run/mediagoblin/mediagoblin.pid' >> /etc/systemd/system/gmg.service echo '' >> /etc/systemd/system/gmg.service echo '[Install]' >> /etc/systemd/system/gmg.service echo 'WantedBy=multi-user.target' >> /etc/systemd/system/gmg.service echo '[Unit]' > /etc/systemd/system/gmg-celeryd.service echo 'Description=Mediagoblin Celeryd' >> /etc/systemd/system/gmg-celeryd.service echo '' >> /etc/systemd/system/gmg-celeryd.service echo '[Service]' >> /etc/systemd/system/gmg-celeryd.service echo 'User=mediagoblin' >> /etc/systemd/system/gmg-celeryd.service echo 'Group=mediagoblin' >> /etc/systemd/system/gmg-celeryd.service echo 'Type=simple' >> /etc/systemd/system/gmg-celeryd.service echo "WorkingDirectory=$MEDIAGOBLIN_PATH" >> /etc/systemd/system/gmg-celeryd.service echo "Environment='MEDIAGOBLIN_CONFIG=$MEDIAGOBLIN_PATH/mediagoblin_local.ini' CELERY_CONFIG_MODULE=mediagoblin.init.celery.from_celery" >> /etc/systemd/system/gmg-celeryd.service echo "ExecStart=$MEDIAGOBLIN_PATH_BIN/celeryd" >> /etc/systemd/system/gmg-celeryd.service echo 'PIDFile=/var/run/mediagoblin/mediagoblin-celeryd.pid' >> /etc/systemd/system/gmg-celeryd.service echo '' >> /etc/systemd/system/gmg-celeryd.service echo '[Install]' >> /etc/systemd/system/gmg-celeryd.service echo 'WantedBy=multi-user.target' >> /etc/systemd/system/gmg-celeryd.service systemctl start gmg.service systemctl start gmg-celeryd.service echo 'install_mediagoblin' >> $COMPLETION_FILE } function install_final { if grep -Fxq "install_final" $COMPLETION_FILE; then return fi # unmount any attached usb drive if [ -d $USB_MOUNT ]; then umount $USB_MOUNT rm -rf $USB_MOUNT fi apt-get -y --force-yes autoremove echo 'install_final' >> $COMPLETION_FILE echo '' echo ' *** Freedombone installation is complete. Rebooting... ***' echo '' if [ -f "/home/$MY_USERNAME/README" ]; then echo "See /home/$MY_USERNAME/README for post-installation instructions." echo '' fi reboot } argument_checks remove_default_user configure_firewall configure_firewall_for_ssh configure_firewall_for_dns configure_firewall_for_ftp configure_firewall_for_web_access remove_proprietary_repos change_debian_repos enable_backports configure_dns initial_setup enforce_good_passwords install_editor change_login_message update_the_kernel enable_zram random_number_generator set_your_domain_name time_synchronisation configure_internet_protocol configure_ssh check_hwrng search_for_attached_usb_drive regenerate_ssh_keys script_to_make_self_signed_certificates configure_email create_procmail #spam_filtering configure_imap configure_gpg encrypt_incoming_email #encrypt_outgoing_email email_client configure_firewall_for_email folders_for_mailing_lists folders_for_email_addresses dynamic_dns_freedns create_public_mailing_list #create_private_mailing_list import_email script_for_attaching_usb_drive install_web_server configure_firewall_for_web_server install_owncloud install_xmpp configure_firewall_for_xmpp install_irc_server configure_firewall_for_irc install_wiki install_blog install_gnu_social install_redmatrix install_dlna_server install_mediagoblin create_backup_script create_restore_script backup_to_friends_servers install_final apt-get -y --force-yes autoremove echo 'Freedombone installation is complete' exit 0