#!/bin/bash # # .---. . . # | | | # |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. # | | (.-' (.-' ( | ( )| | | | )( )| | (.-' # ' ' --' --' -' - -' ' ' -' -' -' ' - --' # # Freedom in the Cloud # # SKS Keyserver # # License # ======= # # Copyright (C) 2017 Bob Mottram # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU Affero General Public License for more details. # # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see . VARIANTS='full full-vim' IN_DEFAULT_INSTALL=0 SHOW_ON_ABOUT=1 KEYSERVER_WEB_REPO="https://github.com/mattrude/pgpkeyserver-lite" KEYSERVER_WEB_COMMIT='a038cb79b927c99bf7da62f20d2c6a2f20374339' KEYSERVER_PORT=11371 KEYSERVER_ONION_PORT=8122 KEYSERVER_DOMAIN_NAME= KEYSERVER_CODE= keyserver_variables=(ONION_ONLY MY_USERNAME DEFAULT_DOMAIN_NAME KEYSERVER_DOMAIN_NAME KEYSERVER_CODE) function logging_on_keyserver { echo -n '' } function logging_off_keyserver { echo -n '' } function reconfigure_keyserver { echo -n '' } function upgrade_keyserver { CURR_KEYSERVER_WEB_COMMIT=$(get_completion_param "keyserver web commit") if [[ "$CURR_KEYSERVER_WEB_COMMIT" == "$KEYSERVER_WEB_COMMIT" ]]; then return fi if grep -q "keyserver domain" $COMPLETION_FILE; then KEYSERVER_DOMAIN_NAME=$(get_completion_param "keyserver domain") fi # update to the next commit function_check set_repo_commit set_repo_commit /var/www/$KEYSERVER_DOMAIN_NAME/htdocs "keyserver web commit" "$KEYSERVER_WEB_COMMIT" $KEYSERVER_WEB_REPO read_config_param MY_USERNAME USER_EMAIL_ADDRESS=$MY_USERNAME@$HOSTNAME GPG_ID=$(su -m root -c "gpg --list-keys $USER_EMAIL_ADDRESS | sed -n '2p' | sed 's/^[ \t]*//'" - $MY_USERNAME) if [ ! $GPG_ID ]; then echo $'No GPG ID for admin user' exit 846336 fi if [ ${#GPG_ID} -lt 5 ]; then echo $'GPG ID not retrieved for admin user' exit 835292 fi if [[ "$GPG_ID" == *"error"* ]]; then echo $'GPG ID not retrieved for admin user due to error' exit 74825 fi sed -i "s|###ENTERPUBLICKEYHERE###|$GPG_ID|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/404.html sed -i "s|###ENTERPUBLICKEYHERE###|$GPG_ID|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/index.html sed -i "s|###ENTERNAMEHERE###|$USER_EMAIL_ADDRESS|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/404.html sed -i "s|###ENTERNAMEHERE###|$USER_EMAIL_ADDRESS|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/index.html chown -R www-data:www-data /var/www/$KEYSERVER_DOMAIN_NAME/htdocs } function backup_local_keyserver { echo -n '' } function restore_local_keyserver { echo -n '' } function backup_remote_keyserver { echo -n '' } function restore_remote_keyserver { echo -n '' } function remove_keyserver { systemctl stop sks apt-get -qy remove sks read_config_param "KEYSERVER_DOMAIN_NAME" nginx_dissite $KEYSERVER_DOMAIN_NAME remove_certs ${KEYSERVER_DOMAIN_NAME} if [ -f /etc/nginx/sites-available/$KEYSERVER_DOMAIN_NAME ]; then rm -f /etc/nginx/sites-available/$KEYSERVER_DOMAIN_NAME fi if [ -d /var/www/$KEYSERVER_DOMAIN_NAME ]; then rm -rf /var/www/$KEYSERVER_DOMAIN_NAME fi function_check remove_ddns_domain remove_ddns_domain $KEYSERVER_DOMAIN_NAME remove_config_param KEYSERVER_DOMAIN_NAME remove_config_param KEYSERVER_CODE function_check remove_onion_service remove_onion_service keyserver ${KEYSERVER_ONION_PORT} remove_completion_param "install_keyserver" sed -i '/keyserver/d' $COMPLETION_FILE if [ -d /var/lib/sks ]; then rm -rf /var/lib/sks fi } function install_interactive_keyserver { if [ ! $ONION_ONLY ]; then ONION_ONLY='no' fi if [[ $ONION_ONLY != "no" ]]; then KEYSERVER_DOMAIN_NAME='keyserver.local' write_config_param "KEYSERVER_DOMAIN_NAME" "$KEYSERVER_DOMAIN_NAME" else function_check interactive_site_details interactive_site_details "keyserver" "KEYSERVER_DOMAIN_NAME" "KEYSERVER_CODE" fi APP_INSTALLED=1 } function keyserver_import_keys { dialog --title $"Import public keys database" \ --backtitle $"Freedombone Control Panel" \ --defaultno \ --yesno $"\nThis will download many gigabytes of data and so depending on your bandwidth it could take several days.\n\nContinue?" 10 60 sel=$? case $sel in 1) return;; 255) return;; esac if [ ! -d /var/lib/sks/dump ]; then mkdir -p /var/lib/sks/dump fi cd /var/lib/sks/dump echo $'Getting keyserver dump. This may take a few days or longer, so be patient.' rm -rf cd /var/lib/sks/dump/* KEYSERVER_DUMP_URL="https://keyserver.mattrude.com/dump/$(date +%F)/" wget -crp -e robots=off --level=1 --cut-dirs=3 -nH \ -A pgp,txt $KEYSERVER_DUMP_URL cd /var/lib/sks echo $'Building the keyserver database from the downloaded dump' sks build } function configure_interactive_keyserver { while true do data=$(tempfile 2>/dev/null) trap "rm -f $data" 0 1 2 5 15 dialog --backtitle $"Freedombone Control Panel" \ --title $"SKS Keyserver" \ --radiolist $"Choose an operation:" 10 70 2 \ 1 $"Import public keys database" off \ 2 $"Exit" on 2> $data sel=$? case $sel in 1) return;; 255) return;; esac case $(cat $data) in 1) keyserver_import_keys;; 2) break;; esac done } function install_keyserver { apt-get -qy install build-essential gcc ocaml libdb-dev wget sks sks build chown -Rc debian-sks: /var/lib/sks/DB sed -i 's|initstart=.*|initstart=yes|g' /etc/default/sks systemctl restart sks if [ ! -d /var/www/$KEYSERVER_DOMAIN_NAME ]; then mkdir /var/www/$KEYSERVER_DOMAIN_NAME fi cd /var/www/$KEYSERVER_DOMAIN_NAME if [ -d /var/www/$KEYSERVER_DOMAIN_NAME/htdocs ]; then rm -rf /var/www/$KEYSERVER_DOMAIN_NAME/htdocs fi if [ -d /repos/keyserverweb ]; then mkdir htdocs cp -r -p /repos/keyserverweb/. htdocs cd htdocs git pull else git_clone $KEYSERVER_WEB_REPO htdocs fi if [ ! -d /var/www/$KEYSERVER_DOMAIN_NAME/htdocs ]; then echo $"/var/www/$KEYSERVER_DOMAIN_NAME/htdocs not found" exit 6539230 fi cd /var/www/$KEYSERVER_DOMAIN_NAME/htdocs git checkout $KEYSERVER_WEB_COMMIT -b $KEYSERVER_WEB_COMMIT set_completion_param "keyserver web commit" "$KEYSERVER_WEB_COMMIT" USER_EMAIL_ADDRESS=$MY_USERNAME@$HOSTNAME GPG_ID=$(su -m root -c "gpg --list-keys $USER_EMAIL_ADDRESS | sed -n '2p' | sed 's/^[ \t]*//'" - $MY_USERNAME) if [ ! $GPG_ID ]; then echo $'No GPG ID for admin user' exit 846336 fi if [ ${#GPG_ID} -lt 5 ]; then echo $'GPG ID not retrieved for admin user' exit 835292 fi if [[ "$GPG_ID" == *"error"* ]]; then echo $'GPG ID not retrieved for admin user due to error' exit 74825 fi sed -i "s|###ENTERPUBLICKEYHERE###|$GPG_ID|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/404.html sed -i "s|###ENTERPUBLICKEYHERE###|$GPG_ID|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/index.html sed -i "s|###ENTERNAMEHERE###|$USER_EMAIL_ADDRESS|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/404.html sed -i "s|###ENTERNAMEHERE###|$USER_EMAIL_ADDRESS|g" /var/www/$KEYSERVER_DOMAIN_NAME/htdocs/index.html sksconf_file=/var/lib/sks/sksconf echo 'debuglevel: 3' > $sksconf_file echo '' >> $sksconf_file echo "hostname: $KEYSERVER_DOMAIN_NAME" >> $sksconf_file echo '' >> $sksconf_file echo 'hkp_address: 127.0.0.1' >> $sksconf_file echo "hkp_port: $KEYSERVER_PORT" >> $sksconf_file echo 'recon_port: 11370' >> $sksconf_file echo '' >> $sksconf_file echo "server_contact: $GPG_ID" >> $sksconf_file echo '' >> $sksconf_file echo 'initial_stat:' >> $sksconf_file echo 'disable_mailsync:' >> $sksconf_file echo 'membership_reload_interval: 1' >> $sksconf_file echo 'stat_hour: 12' >> $sksconf_file echo '' >> $sksconf_file echo 'max_matches: 500' >> $sksconf_file chown debian-sks: $sksconf_file KEYSERVER_ONION_HOSTNAME=$(add_onion_service keyserver 80 ${KEYSERVER_ONION_PORT}) keyserver_nginx_site=/etc/nginx/sites-available/$KEYSERVER_DOMAIN_NAME if [[ $ONION_ONLY == "no" ]]; then function_check nginx_http_redirect nginx_http_redirect $KEYSERVER_DOMAIN_NAME echo 'server {' >> $keyserver_nginx_site echo ' listen 443 ssl;' >> $keyserver_nginx_site echo ' listen [::]:443 ssl;' >> $keyserver_nginx_site echo " server_name $KEYSERVER_DOMAIN_NAME;" >> $keyserver_nginx_site echo '' >> $keyserver_nginx_site echo ' # Security' >> $keyserver_nginx_site function_check nginx_ssl nginx_ssl $KEYSERVER_DOMAIN_NAME function_check nginx_disable_sniffing nginx_disable_sniffing $KEYSERVER_DOMAIN_NAME echo ' add_header Strict-Transport-Security max-age=15768000;' >> $keyserver_nginx_site echo '' >> $keyserver_nginx_site echo ' # Logs' >> $keyserver_nginx_site echo ' access_log /dev/null;' >> $keyserver_nginx_site echo ' error_log /dev/null;' >> $keyserver_nginx_site echo '' >> $keyserver_nginx_site echo ' # Root' >> $keyserver_nginx_site echo " root /var/www/$KEYSERVER_DOMAIN_NAME/htdocs;" >> $keyserver_nginx_site echo '' >> $keyserver_nginx_site echo ' rewrite ^/stats /pks/lookup?op=stats;' >> $keyserver_nginx_site echo ' rewrite ^/s/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site echo ' rewrite ^/search/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site echo ' rewrite ^/g/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site echo ' rewrite ^/get/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site echo ' rewrite ^/d/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site echo ' rewrite ^/download/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site echo '' >> $keyserver_nginx_site echo ' location /pks {' >> $keyserver_nginx_site echo " proxy_pass http://127.0.0.1:$KEYSERVER_PORT;" >> $keyserver_nginx_site echo ' proxy_pass_header Server;' >> $keyserver_nginx_site echo " add_header Via \"1.1 $KEYSERVER_DOMAIN_NAME:$KEYSERVER_PORT (nginx)\";" >> $keyserver_nginx_site echo ' proxy_ignore_client_abort on;' >> $keyserver_nginx_site echo ' client_max_body_size 8m;' >> $keyserver_nginx_site echo ' }' >> $keyserver_nginx_site echo '}' >> $keyserver_nginx_site echo '' >> $keyserver_nginx_site else echo -n '' > $keyserver_nginx_site fi echo 'server {' >> $keyserver_nginx_site echo " listen 127.0.0.1:$KEYSERVER_ONION_PORT default_server;" >> $keyserver_nginx_site echo " server_name $KEYSERVER_ONION_HOSTNAME;" >> $keyserver_nginx_site echo '' >> $keyserver_nginx_site function_check nginx_disable_sniffing nginx_disable_sniffing $KEYSERVER_DOMAIN_NAME echo '' >> $keyserver_nginx_site echo ' # Logs' >> $keyserver_nginx_site echo ' access_log /dev/null;' >> $keyserver_nginx_site echo ' error_log /dev/null;' >> $keyserver_nginx_site echo '' >> $keyserver_nginx_site echo ' # Root' >> $keyserver_nginx_site echo " root /var/www/$KEYSERVER_DOMAIN_NAME/mail;" >> $keyserver_nginx_site echo '' >> $keyserver_nginx_site echo ' rewrite ^/stats /pks/lookup?op=stats;' >> $keyserver_nginx_site echo ' rewrite ^/s/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site echo ' rewrite ^/search/(.*) /pks/lookup?search=$1;' >> $keyserver_nginx_site echo ' rewrite ^/g/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site echo ' rewrite ^/get/(.*) /pks/lookup?op=get&search=$1;' >> $keyserver_nginx_site echo ' rewrite ^/d/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site echo ' rewrite ^/download/(.*) /pks/lookup?op=get&options=mr&search=$1;' >> $keyserver_nginx_site echo '' >> $keyserver_nginx_site echo ' location /pks {' >> $keyserver_nginx_site echo " proxy_pass http://127.0.0.1:$KEYSERVER_PORT;" >> $keyserver_nginx_site echo ' proxy_pass_header Server;' >> $keyserver_nginx_site echo " add_header Via \"1.1 $KEYSERVER_DOMAIN_NAME:$KEYSERVER_PORT (nginx)\";" >> $keyserver_nginx_site echo ' proxy_ignore_client_abort on;' >> $keyserver_nginx_site echo ' client_max_body_size 8m;' >> $keyserver_nginx_site echo ' }' >> $keyserver_nginx_site echo '}' >> $keyserver_nginx_site function_check create_site_certificate if [ ! -f /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.pem ]; then create_site_certificate $KEYSERVER_DOMAIN_NAME 'yes' fi if [ -f /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.crt ]; then mv /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.crt /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.pem fi if [ -f /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.pem ]; then chown root:root /etc/ssl/certs/${KEYSERVER_DOMAIN_NAME}.pem sed -i "s|.crt|.pem|g" /etc/nginx/sites-available/${KEYSERVER_DOMAIN_NAME} fi if [ -f /etc/ssl/private/${KEYSERVER_DOMAIN_NAME}.key ]; then chown root:root /etc/ssl/private/${KEYSERVER_DOMAIN_NAME}.key fi chown -R www-data:www-data /var/www/$KEYSERVER_DOMAIN_NAME/htdocs function_check nginx_ensite nginx_ensite $KEYSERVER_DOMAIN_NAME systemctl restart nginx set_completion_param "keyserver domain" "$KEYSERVER_DOMAIN_NAME" set_completion_param "keyserver onion domain" "$KEYSERVER_ONION_HOSTNAME" APP_INSTALLED=1 } # NOTE: deliberately no exit 0