diff --git a/src/freedombone b/src/freedombone index 15a7c26f..9bf80762 100755 --- a/src/freedombone +++ b/src/freedombone @@ -37,11 +37,9 @@ export TEXTDOMAINDIR="/usr/share/locale" DEFAULT_LANGUAGE=$(echo $LANG) -source /usr/local/bin/${PROJECT_NAME}-utils-git -source /usr/local/bin/${PROJECT_NAME}-utils-database -if [ -f /usr/bin/${PROJECT_NAME}-utils-git ]; then - source /usr/bin/${PROJECT_NAME}-utils-git - source /usr/bin/${PROJECT_NAME}-utils-database +PROJECT_INSTALL_DIR=/usr/local/bin +if [ -f /usr/bin/${PROJECT_NAME} ]; then + PROJECT_INSTALL_DIR=/usr/bin fi # username created by default within a debian image @@ -53,9 +51,6 @@ PROJECT_WEBSITE="http://${PROJECT_NAME}.uk.to" # Repo PROJECT_REPO="https://github.com/bashrc/${PROJECT_NAME}" -# default search engine for command line browser -DEFAULT_SEARCH='https://searx.laquadrature.net' - # Are we installing on a Beaglebone Black (BBB) or some other system? INSTALLING_ON_BBB="no" @@ -68,676 +63,39 @@ MINIMAL_INSTALL="yes" # Whether web sites will be .onion addresses only ONION_ONLY="no" -# Different system variants which may be specified within -# the SYSTEM_TYPE option -VARIANT_FULL="full" -VARIANT_WRITER="writer" -VARIANT_CLOUD="cloud" -VARIANT_CHAT="chat" -VARIANT_MAILBOX="mailbox" -VARIANT_NONMAILBOX="nonmailbox" -VARIANT_SOCIAL="social" -VARIANT_MEDIA="media" -VARIANT_DEVELOPER="developer" -VARIANT_MESH="mesh" - -DEFAULT_DOMAIN_NAME= -DEFAULT_DOMAIN_CODE= -MY_USERNAME= -SYSTEM_TYPE=$VARIANT_FULL - # whether the system is being installed from a pre-created configuration file INSTALLING_FROM_CONFIGURATION_FILE="no" -# An optional configuration file which overrides some of these variables -CONFIGURATION_FILE="${PROJECT_NAME}.cfg" - -SSH_PORT=2222 -IRC_PORT=6697 -IRC_ONION_PORT=6697 - -GO_VERSION=1.5 - -# password used for accessing your repo mirrors -MY_MIRRORS_PASSWORD= -# friend's repo mirrors -FRIENDS_MIRRORS_PASSWORD= -FRIENDS_MIRRORS_SERVER= -FRIENDS_MIRRORS_SSH_PORT=2222 - -# This isn't used here, but is included for mirrors creation purposes -LETSENCRYPT_REPO="https://github.com/letsencrypt/letsencrypt" - -# An optional password to log into IRC. This applies to all users -IRC_PASSWORD= - -# If this file exists it contains a global password used with -# disk image installs. This simplifies password management for -# deployment at scale -IMAGE_PASSWORD_FILE=/root/login.txt - -# parameters used when adding a new domain -DDNS_PROVIDER="default@freedns.afraid.org" -DDNS_USERNAME= -DDNS_PASSWORD= - -EXIM_ONION_REPO="https://github.com/petterreinholdtsen/exim4-smtorp" - -NGINX_ENSITE_REPO="https://github.com/perusio/nginx_ensite" -NGINX_ENSITE_COMMIT='fa4d72ce1c0a490442c8474e9c8dc21ed52c93d0' - -CLEANUP_MAILDIR_REPO="https://github.com/bashrc/cleanup-maildir" -CLEANUP_MAILDIR_COMMIT='33241d2e3861f901ba17f5c77ada007e1ec06a86' - -INADYN_REPO="https://github.com/bashrc/inadyn" -INADYN_COMMIT='fadbe17f520d337dfb8d69ee4bf1fcaa23fce0d6' - -# Minimum number of characters in a password -MINIMUM_PASSWORD_LENGTH=10 - # number of CPU cores CPU_CORES=1 -# If the system is on an IPv6 network -IPV6_NETWORK='2001:470:26:307' - -# The static IP address of the system within the local network -# By default the IP address is dynamic within your LAN -LOCAL_NETWORK_STATIC_IP_ADDRESS= - -# IP address of the router (gateway) -ROUTER_IP_ADDRESS="192.168.1.254" - -# DNS -NAMESERVER1='213.73.91.35' -NAMESERVER2='85.214.20.141' - # whether to route outgoing traffic through Tor ROUTE_THROUGH_TOR="no" -# Why use Google as a time source? -# The thinking here is that it's likely to be reliable and fast. -# The ping doesn't reveal any information other than that the server -# is running, and if anyone maliciously alters the time on Google's -# servers then that would certainly be newsworthy and they'd be -# likely to do something about it quickly. -# If you have better time sources then change them here. -TLS_TIME_SOURCE1="google.com" -TLS_TIME_SOURCE2="www.ptb.de" - -# The type of hardware random number generator being used -# This can be empty, "beaglebone" or "onerng" -HWRNG_TYPE= - -# Download location for OneRNG driver -ONERNG_PACKAGE="onerng_3.4-1_all.deb" -ONERNG_PACKAGE_DOWNLOAD="https://github.com/OneRNG/onerng.github.io/blob/master/sw/$ONERNG_PACKAGE?raw=true" -# Hash for OneRNG driver -ONERNG_PACKAGE_HASH='78f1c2f52ae573e3b398a695ece7ab9f41868252657ea269f0d5cf0bd4f2eb59' - -# device name for OneRNG -ONERNG_DEVICE='ttyACM0' - # Whether this system is being installed within a docker container INSTALLED_WITHIN_DOCKER="no" -# If you want to run a public mailing list specify its name here. -# There should be no spaces in the name -PUBLIC_MAILING_LIST= -# Optional different domain name for the public mailing list -PUBLIC_MAILING_LIST_DOMAIN_NAME= -# Directory where the public mailing list data is stored -PUBLIC_MAILING_LIST_DIRECTORY="/var/spool/mlmmj" - -# If you want to run an encrypted mailing list specify its name here. -# There should be no spaces in the name -PRIVATE_MAILING_LIST= - -# Domain name for mediagoblin installation -MEDIAGOBLIN_DOMAIN_NAME= -MEDIAGOBLIN_CODE= -MEDIAGOBLIN_REPO="git://git.savannah.gnu.org/mediagoblin.git" -MEDIAGOBLIN_COMMIT='d1ac2d52fd8859c3f32fa38e4836ffe9615e5bba' -MEDIAGOBLIN_ADMIN_PASSWORD= -MEDIAGOBLIN_ONION_PORT=8096 - -#mediadrop -MEDIA_SERVER_DOMAIN_NAME= -MEDIA_SERVER_CODE= -MEDIA_SERVER_BASE_DIRECTORY=/var/www/media -MEDIA_SERVER_WORKING_DIRECTORY=${MEDIA_SERVER_BASE_DIRECTORY}/mediadrop -MEDIA_SERVER_REPO="https://github.com/mediadrop/mediadrop" -MEDIA_SERVER_COMMIT='ad44f47d99b5d57d3396a3afb80d68a4a182dadd' -MEDIA_SERVER_ONION_PORT=8098 -MEDIA_SERVER_ADMIN_PASSWORD= - -# Domain name for microblog installation -MICROBLOG_DOMAIN_NAME= -MICROBLOG_CODE= -MICROBLOG_ONION_PORT=8087 -MICROBLOG_REPO="https://git.gnu.io/gnu/gnu-social.git" -MICROBLOG_COMMIT='c67b89e56bf0f90730a9e22beca7e1bd41fc26c3' -MICROBLOG_ADMIN_PASSWORD= -MICROBLOG_THEME_REPO="https://git.gnu.io/h2p/Qvitter.git" -MICROBLOG_THEME_COMMIT='34510bcf37c727f91afad789fb0a531a45171ccf' -MICROBLOG_WELCOME_MESSAGE=$'

Welcome to GNU Social – a federated microblog

Another Freedombone site

' -MICROBLOG_BACKGROUND_IMAGE_URL= -MICROBLOG_MARKDOWN_REPO="https://git.gnu.io/chimo/markdown.git" -MICROBLOG_MARKDOWN_COMMIT='03c53942f94b3376f0946e6e1fe566cc21ccf232' - -# Sharings plugin for the microblog -SHARINGS_REPO="http://git.lasindias.club/bashrc/Sharings" -SHARINGS_COMMIT='d5c6c7f855d9afff9086c09ea706f38c859bc0d4' -SHARINGS_THEME_REPO="http://git.lasindias.club/manuel/SharingsTheme" -SHARINGS_THEME_COMMIT='7106c7ef03' - -# Domain name for hubzilla installation -HUBZILLA_DOMAIN_NAME= -HUBZILLA_CODE= -HUBZILLA_ONION_PORT=8085 -HUBZILLA_REPO="https://github.com/redmatrix/hubzilla.git" -HUBZILLA_THEMES_REPO="https://github.com/DeadSuperHero/redmatrix-themes" -HUBZILLA_ADDONS_REPO="https://github.com/redmatrix/hubzilla-addons.git" -HUBZILLA_ADMIN_PASSWORD= -HUBZILLA_COMMIT='2d79e75788aa71664a379c4cea0b6bfe3ab87ad0' -HUBZILLA_ADDONS_COMMIT='67b40c7a40f328a93ee030eb15e9e1261f3cba64' - -# roundcube webmail -WEBMAIL_REPO="https://github.com/roundcube/roundcubemail" -WEBMAIL_COMMIT='78cf9c2e5cff2d78cd8beb647d60570f195a2a9c' -WEBMAIL_ONION_HOSTNAME= -WEBMAIL_ONION_PORT=8097 -WEBMAIL_ADMIN_PASSWORD= - -# Domain name for git hosting installation -GIT_DOMAIN_NAME= -GIT_CODE= -GIT_ONION_PORT=8090 -GIT_DOMAIN_REPO="https://github.com/gogits/gogs" -GIT_ADMIN_PASSWORD= -GOGS_COMMIT='3fb4f7f4980b4339fd9ef6a3ba5b0acab83d264d' -GO_PACKAGE_MANAGER_REPO="https://github.com/gpmgo/gopm" -GVM_HOME=/home/git/gvm -GVM_REPO="https://github.com/moovweb/gvm" -GVM_COMMIT='25ea8ae158e2861c92e2b22c458e60840157832f' - -# Syncthing -SYNCTHING_ID= -SYNCTHING_CONFIG_PATH=/root/.config/syncthing -SYNCTHING_CONFIG_FILE=$SYNCTHING_CONFIG_PATH/config.xml -SYNCTHING_RELAY_SERVER='https://relays.syncthing.net/endpoint' -SYNCTHING_RELEASES='https://api.github.com/repos/syncthing/syncthing/releases?per_page=30' -SYNCTHING_PORT=22000 -SYNCTHING_SHARED_DATA=/var/lib/syncthing/SyncShared -SYNCTHING_USER_IDS_FILE='.syncthingids' - -# Domain name for your wiki -WIKI_DOMAIN_NAME= -WIKI_ADMIN_PASSWORD= -WIKI_TITLE="${PROJECT_NAME} Wiki" -WIKI_CODE= -WIKI_ONION_PORT=8089 - -# Domain name for your blog -FULLBLOG_DOMAIN_NAME= -FULLBLOG_CODE= -FULLBLOG_ONION_PORT=8086 -FULLBLOG_REPO="https://github.com/danpros/htmly" -FULLBLOG_COMMIT='bf5fe9486160be4da86d8987d3e5c977e1dc6d32' -MY_BLOG_TITLE="My Blog" -MY_BLOG_SUBTITLE="Another ${PROJECT_NAME} Blog" - -# search engine -SEARCH_ENGINE_REPO="https://github.com/asciimoo/searx" -SEARCH_ENGINE_COMMIT='fee556c9904637051a9ba874ba7e71cd9f10789f' -SEARCH_ENGINE_PATH=/etc -SEARCH_ENGINE_ONION_PORT=8094 -SEARCH_ENGINE_ONION_HOSTNAME= -SEARCH_ENGINE_LOGIN_TEXT=$"Search engine login" -SEARCH_ENGINE_PASSWORD= - -GPG_KEYSERVER="hkp://keys.gnupg.net" - -# whether to encrypt all incoming email with your public key -GPG_ENCRYPT_STORED_EMAIL="yes" - -# gets set to yes if gpg keys are imported from usb -GPG_KEYS_IMPORTED="no" - -# optionally you can provide your exported GPG key pair here -# Note that the private key file will be deleted after use -# If these are unspecified then a new GPG key will be created -MY_GPG_PUBLIC_KEY= -MY_GPG_PRIVATE_KEY= - -# optionally specify your public key ID -MY_GPG_PUBLIC_KEY_ID= - -# If you have existing mail within a Maildir -# you can specify the directory here and the files -# will be imported -IMPORT_MAILDIR= - -# The Debian package repository to use. -DEBIAN_REPO="ftp.us.debian.org" - DEBIAN_VERSION="jessie" -# Directory where source code is downloaded and compiled -INSTALL_DIR=$HOME/build - -# device name for an attached usb drive -USB_DRIVE=/dev/sda1 - -# Location where the USB drive is mounted to -USB_MOUNT=/mnt/usb - -# name of a script used to upgrade the system -UPGRADE_SCRIPT_NAME="${PROJECT_NAME}-upgrade" - -# name of a script which keeps running processes going even if they crash -WATCHDOG_SCRIPT_NAME="keepon" - -# Number of days to keep backups for -BACKUP_MAX_DAYS=30 - -# memory limit for php in MB -MAX_PHP_MEMORY=64 - -# default MariaDB password -MARIADB_PASSWORD= - -# Directory where XMPP settings are stored -XMPP_DIRECTORY="/var/lib/prosody" -XMPP_PASSWORD= - -# file containing a list of remote locations to backup to -# Format: [username@friendsdomain//home/username] [ssh_password] -# With the only space character being between the server and the password -FRIENDS_SERVERS_LIST=/home/$MY_USERNAME/backup.list - -# list of encryption protocols -SSL_PROTOCOLS="TLSv1 TLSv1.1 TLSv1.2" - -# list of ciphers to use. See bettercrypto.org recommendations -SSL_CIPHERS="EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA" - -# ssh (from https://stribika.github.io/2015/01/04/secure-secure-shell.html) -SSH_CIPHERS="chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr" -SSH_MACS="hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com" -SSH_KEX="curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256" -SSH_HOST_KEY_ALGORITHMS="ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-ed25519,ssh-rsa" - -# xmpp ciphers and curve -XMPP_CIPHERS='"EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA"' -XMPP_ECC_CURVE='"secp384r1"' - -# the default email address -MY_EMAIL_ADDRESS=$MY_USERNAME@$DEFAULT_DOMAIN_NAME - -# optionally specify your name to appear on the blog -MY_NAME=$DEFAULT_DOMAIN_NAME - -export DEBIAN_FRONTEND=noninteractive - -# logging level for Nginx -WEBSERVER_LOG_LEVEL='warn' - -# used to limit CPU usage -CPULIMIT='/usr/bin/cpulimit -l 20 -e' - -# command to create a git repository -CREATE_GIT_PROJECT_COMMAND='create-project' - -# File which keeps track of what has already been installed -COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt - -# Used to indicate whether the backup contains MariaDB databases or not -BACKUP_INCLUDES_DATABASES="no" - -# contains the mysql root password which -# is used for backups and repair -DATABASE_PASSWORD_FILE=/root/dbpass - -# log file where details of remote backups are stored -REMOTE_BACKUPS_LOG=/var/log/remotebackups.log - -# message if something fails to install -CHECK_MESSAGE="Check your internet connection, /etc/network/interfaces and /etc/resolv.conf, then delete $COMPLETION_FILE, run 'rm -fR /var/lib/apt/lists/* && apt-get update --fix-missing' and run this script again. If hash sum mismatches persist then try setting $DEBIAN_REPO to a different mirror and also change /etc/apt/sources.list." - -# web site used to obtain the external IP address of the system -GET_IP_ADDRESS_URL="checkip.two-dns.de" - -# Password used for VoIP server -VOIP_SERVER_PASSWORD= -# Port on which VoIP server listens -VOIP_PORT=64738 -SIP_SERVER_PASSWORD= -SIP_PORT=5060 -SIP_TLS_PORT=5061 -VOIP_TURN_PORT=3478 -VOIP_TURN_TLS_PORT=5349 -VOIP_TURN_NONCE= - -# Location of VoIP database and configuration -VOIP_DATABASE="mumble-server.sqlite" -VOIP_CONFIG_FILE="mumble-server.ini" - -# other possible services to obtain the external IP address -EXTERNAL_IP_SERVICES=( \ - 'https://check.torproject.org/' \ - 'https://www.whatsmydns.net/whats-my-ip-address.html' \ - 'https://www.privateinternetaccess.com/pages/whats-my-ip/' \ - 'http://checkip.two-dns.de' \ - 'http://ip.dnsexit.com' \ - 'http://ifconfig.me/ip' \ - 'http://ipecho.net/plain' \ - 'http://checkip.dyndns.org/plain' \ - 'http://ipogre.com/linux.php' \ - 'http://whatismyipaddress.com/' \ - 'http://ip.my-proxy.com/' \ - 'http://websiteipaddress.com/WhatIsMyIp' \ - 'http://getmyipaddress.org/' \ - 'http://www.my-ip-address.net/' \ - 'http://myexternalip.com/raw' \ - 'http://www.canyouseeme.org/' \ - 'http://www.trackip.net/' \ - 'http://icanhazip.com/' \ - 'http://www.iplocation.net/' \ - 'http://www.howtofindmyipaddress.com/' \ - 'http://www.ipchicken.com/' \ - 'http://whatsmyip.net/' \ - 'http://www.ip-adress.com/' \ - 'http://checkmyip.com/' \ - 'http://www.tracemyip.org/' \ - 'http://checkmyip.net/' \ - 'http://www.lawrencegoetz.com/programs/ipinfo/' \ - 'http://www.findmyip.co/' \ - 'http://ip-lookup.net/' \ - 'http://www.dslreports.com/whois' \ - 'http://www.mon-ip.com/en/my-ip/' \ - 'http://www.myip.ru' \ - 'http://ipgoat.com/' \ - 'http://www.myipnumber.com/my-ip-address.asp' \ - 'http://www.whatsmyipaddress.net/' \ - 'http://formyip.com/' \ - 'http://www.displaymyip.com/' \ - 'http://www.bobborst.com/tools/whatsmyip/' \ - 'http://www.geoiptool.com/' \ - 'http://checkip.dyndns.com/' \ - 'http://myexternalip.com/' \ - 'http://www.ip-adress.eu/' \ - 'http://www.infosniper.net/' \ - 'http://wtfismyip.com/' \ - 'http://ipinfo.io/' \ - 'http://httpbin.org/ip') - -WIFI_CHANNEL=2 -WIFI_INTERFACE=wlan0 -WIFI_TYPE='wpa2-psk' -WIFI_SSID= -WIFI_PASSPHRASE= -WIFI_HOTSPOT='no' -WIFI_NETWORKS_FILE=~/${PROJECT_NAME}-wifi.cfg - -# cjdns settings -ENABLE_CJDNS="no" -CJDNS_PRIVATE_KEY= -CJDNS_PUBLIC_KEY= -CJDNS_IPV6= -CJDNS_PASSWORD= -CJDNS_PORT= -CJDNS_REPO="https://github.com/cjdelisle/cjdns.git" -CJDNS_COMMIT='13189fde111d0500427a7a0ce06a970753527bca' -CJDCMD_REPO="https://github.com/inhies/cjdcmd" -CJDCMD_COMMIT='973cca6ed0eecf9041c3403a40193c0b1291b808' - -# B.A.T.M.A.N settings -ENABLE_BATMAN="no" -BATMAN_CELLID='any' - -# Babel mesh -ENABLE_BABEL="no" -BABEL_PORT=6696 - # social key management ENABLE_SOCIAL_KEY_MANAGEMENT="no" -TOX_PORT=33445 -TOXCORE_REPO="git://github.com/irungentoo/toxcore.git" -TOXCORE_COMMIT='532629d486e3361c7d8d95b38293cc7d61dc4ee5' -TOXID_REPO="https://github.com/bashrc/toxid" -TOX_BOOTSTRAP_ID_FILE=/var/lib/tox-bootstrapd/pubkey.txt -# These are some default nodes, but you can replace them with trusted nodes -# as you prefer. See https://wiki.tox.im/Nodes -TOX_NODES= -#TOX_NODES=( -# '192.254.75.102,2607:5600:284::2,33445,951C88B7E75C867418ACDB5D273821372BB5BD652740BCDF623A4FA293E75D2F,Tox RELENG,US' -# '144.76.60.215,2a01:4f8:191:64d6::1,33445,04119E835DF3E78BACF0F84235B300546AF8B936F035185E2A8E9E0A67C8924F,sonOfRa,DE' -#) -TOXIC_REPO="https://github.com/Tox/toxic" -TOXIC_COMMIT='cf16849b374e484a33a4dffa3dfb937b59d537f2' -TOXIC_FILE=/usr/local/bin/toxic +# include utils +UTILS_FILES=$PROJECT_INSTALL_DIR/${PROJECT_NAME}-utils-* +for f in $UTILS_FILES +do + source $f +done -ZERONET_REPO="https://github.com/HelloZeroNet/ZeroNet.git" -ZERONET_COMMIT='675bd462556c541d65e2d95f91f899146a373aad' -ZERONET_BLOG_REPO="https://github.com/HelloZeroNet/ZeroBlog" -ZERONET_BLOG_COMMIT='bbb0d6c36465fed2e6df71f1aab45fcc9c6ad609' -ZERONET_MAIL_REPO="https://github.com/HelloZeroNet/ZeroMail" -ZERONET_MAIL_COMMIT='955af09d643c72b02e4983d71eca5c0c93a6c131' -ZERONET_FORUM_REPO="https://github.com/HelloZeroNet/ZeroTalk" -ZERONET_FORUM_COMMIT='e2d2c9cb1cfbfef91b244935efb5c14c2ad95faa' -ZERONET_URL=http://127.0.0.1:43110 -ZERONET_PORT=15441 -TRACKER_PORT=6969 -ZERONET_DEFAULT_BLOG_TAGLINE="Blogging on the Mesh" -ZERONET_DEFAULT_FORUM_TAGLINE="A decentralized discussion group" -ZERONET_DEFAULT_MAIL_TAGLINE="Mail for the Mesh" -ZERONET_ID_REPO="https://github.com/HelloZeroNet/ZeroID" -ZERONET_ID_COMMIT='ccf14fdc96fa9cdb2ddd8a7ab283a8e17a4f234b' +#include apps +APP_FILES=$PROJECT_INSTALL_DIR/${PROJECT_NAME}-app-* +for f in $UTILS_FILES +do + source $f +done -MESH_INSTALL_DIR=/var/lib - -# https://github.com/ipfs/go-ipfs -IPFS_GO_REPO="https://github.com/ipfs/go-ipfs" -IPFS_COMMIT='20b06a4cbce8884f5b194da6e98cb11f2c77f166' -IPFS_PORT=4001 - -GPGIT_REPO="https://github.com/mikecardwell/gpgit" -GPGIT_COMMIT='583dc76119f19420f8a33f606744faa7c8922738' - -# Default diffie-hellman key length in bits -DH_KEYLENGTH=2048 - -# repo for atheros AR9271 wifi driver -ATHEROS_WIFI_REPO="https://github.com/qca/open-ath9k-htc-firmware.git" - -# Whether Let's Encrypt is enabled for all sites -LETSENCRYPT_ENABLED="no" -LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory' - -RSS_READER_REPO="https://tt-rss.org/git/tt-rss.git" -RSS_READER_COMMIT='9e84bab449f9ed55e02e60378b0af1521026f3b8' -RSS_READER_ADMIN_PASSWORD= -RSS_READER_ONION_PORT=8092 -RSS_MOBILE_READER_ONION_PORT=8095 -RSS_READER_DOMAIN_NAME=ttrss -RSS_MOBILE_READER_REPO="https://github.com/mboinet/ttrss-mobile" -RSS_MOBILE_READER_COMMIT='d5242e1c269e9480ab3b66b7a38da3c892dfb326' -RSS_READER_PATH=/etc/share/tt-rss -RSS_READER_GNUSOCIAL_REPO="https://github.com/bashrc/ttrss-gnusocial" -RSS_READER_GNUSOCIAL_COMMIT='8b92b8f5db7b0d12459c7bd86a50f48815efe642' - -# refresh gpg keys every few hours -REFRESH_GPG_KEYS_HOURS=2 - -# Time synchronisation -TLSDATE_REPO="https://github.com/bashrc/tlsdate" -TLSDATE_COMMIT='505e31540eebde8074e7dc93b29be0d848def06a' - -function show_help { - echo '' - echo $"${PROJECT_NAME} -c [configuration file]" - echo '' - echo $' -h --help Show help' - echo $' menuconfig Easy interactive installation' - echo $' menuconfig-full Full interactive installation' - echo $' menuconfig-onion Interactive installation for onion-only sites' - echo $' -c --config Installing from a configuration file' - echo $' --bbb Installing on Beaglebone Black' - echo $' -u --user User to install the system as' - echo $' -d --domain Default domain name' - echo $' -s --system System type' - echo $' --ip Static LAN IP address of the system' - echo $' --iprouter LAN IP address of the internet router' - echo $' --ddns Dynamic DNS provider domain' - echo $' --ddnsuser Dynamic DNS provider username' - echo $' --ddnspass Dynamic DNS provider password' - echo '' - echo $' --microblogdomain Microblog domain name' - echo $' --wikidomain Wiki domain name' - echo $' --blogdomain Blog domain name' - echo $' --hubzilladomain Hubzilla domain name' - echo $' --gitdomain Git hosting domain name' - echo $' -t --time Domain used as a TLS time source' - echo $' --ssh ssh port number' - echo $' --list Public mailing list name' - echo $' --cores Number of CPU cores' - echo $' --name Your name' - echo $' --email Your email address' - echo $' --usb Path for the USB drive (eg. /dev/sdb1)' - echo $' --cjdns Enable CJDNS' - echo $' --vpass VoIP server password' - echo $' --vport VoIP server port' - echo $' --ns1 First DNS nameserver' - echo $' --ns2 Second DNS nameserver' - echo $' --repo Debian repository' - echo '' - echo $'system types' - echo '------------' - echo $'This can either be blank if you wish to install the full system,' - echo $"or for more specialised variants you can specify '$VARIANT_MAILBOX', '$VARIANT_CLOUD'," - echo $"'$VARIANT_CHAT', '$VARIANT_SOCIAL', '$VARIANT_MEDIA', '$VARIANT_WRITER', '$VARIANT_DEVELOPER'" - echo $"or '$VARIANT_MESH'." - echo '' - echo $"If you wish to install everything except email then use the '$VARIANT_NONMAILBOX' variaint." - echo '' - exit 0 -} - -function locale_setup { - if grep -Fxq "locale_setup" $COMPLETION_FILE; then - return - fi - - apt-get -y install locales locales-all debconf - - if [ ! "$DEFAULT_LANGUAGE" ]; then - DEFAULT_LANGUAGE='en_GB.UTF-8' - fi - if [ ${#DEFAULT_LANGUAGE} -lt 2 ]; then - DEFAULT_LANGUAGE='en_GB.UTF-8' - fi - - update-locale LANG=${DEFAULT_LANGUAGE} - update-locale LANGUAGE=${DEFAULT_LANGUAGE} - update-locale LC_MESSAGES=${DEFAULT_LANGUAGE} - update-locale LC_ALL=${DEFAULT_LANGUAGE} - update-locale LC_CTYPE=${DEFAULT_LANGUAGE} - - echo 'locale_setup' >> $COMPLETION_FILE -} - -function interactive_configuration_remote_backups { - if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - if [ ! -f /usr/local/bin/${PROJECT_NAME}-remote ]; then - if [ ! -f /usr/bin/${PROJECT_NAME}-remote ]; then - echo $"The command ${PROJECT_NAME}-remote was not found" - exit 87354 - fi - fi - ${PROJECT_NAME}-remote -u $MY_USERNAME -l $FRIENDS_SERVERS_LIST -m $MINIMUM_PASSWORD_LENGTH -r yes - if [ ! "$?" = "0" ]; then - echo $'Command failed:' - echo '' - echo $" ${PROJECT_NAME}-remote -u $MY_USERNAME -l $FRIENDS_SERVERS_LIST -m $MINIMUM_PASSWORD_LENGTH -r yes" - echo '' - exit 65892 - fi -} - -# test a domain name to see if it's valid -function validate_domain_name { - # count the number of dots in the domain name - dots=${TEST_DOMAIN_NAME//[^.]} - no_of_dots=${#dots} - if (( $no_of_dots > 3 )); then - TEST_DOMAIN_NAME=$"The domain $TEST_DOMAIN_NAME has too many subdomains. It should be of the type w.x.y.z, x.y.z or y.z" - fi - if (( $no_of_dots == 0 )); then - TEST_DOMAIN_NAME=$"The domain $TEST_DOMAIN_NAME has no top level domain. It should be of the type w.x.y.z, x.y.z or y.z" - fi -} - -function interactive_configuration { - if [ ! -f /usr/local/bin/${PROJECT_NAME}-config ]; then - if [ ! -f /usr/bin/${PROJECT_NAME}-config ]; then - echo $"The command ${PROJECT_NAME}-config was not found" - exit 63935 - fi - fi - if [ -f /tmp/meshuserdevice ]; then - rm -f /tmp/meshuserdevice - fi - - if [[ $ONION_ONLY == "no" ]]; then - if [[ $MINIMAL_INSTALL == "no" ]]; then - ${PROJECT_NAME}-config \ - -f $CONFIGURATION_FILE \ - -w $PROJECT_WEBSITE \ - -m $MINIMUM_PASSWORD_LENGTH - else - ${PROJECT_NAME}-config \ - -f $CONFIGURATION_FILE \ - -w $PROJECT_WEBSITE \ - -m $MINIMUM_PASSWORD_LENGTH \ - --minimal "yes" - fi - else - ${PROJECT_NAME}-config \ - -f $CONFIGURATION_FILE \ - -w $PROJECT_WEBSITE \ - -m $MINIMUM_PASSWORD_LENGTH \ - --onion "yes" - fi - if [ -f /tmp/meshuserdevice ]; then - # mesh network user device installation - rm -f /tmp/meshuserdevice - exit 0 - fi - if [ ! "$?" = "0" ]; then - echo $'Command failed:' - echo '' - echo $" ${PROJECT_NAME}-config -u $MY_USERNAME -f $CONFIGURATION_FILE -w $PROJECT_WEBSITE -b $PROJECT_BITMESSAGE -m $MINIMUM_PASSWORD_LENGTH --minimal [yes|no]" - echo '' - exit 73594 - fi - - if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - FRIENDS_SERVERS_LIST=/home/$MY_USERNAME/backup.list - - dialog --title $"Encrypted backup to other servers" \ - --backtitle $"${PROJECT_NAME} Configuration" \ - --defaultno \ - --yesno $"\nDo you wish to configure some remote backup locations?" 7 60 - sel=$? - case $sel in - 0) interactive_configuration_remote_backups;; - esac - fi -} +# optionally specify your name to appear on the blog +MY_NAME=$DEFAULT_DOMAIN_NAME command_options=$1 @@ -971,10105 +329,13 @@ function parse_args { fi } -function read_repo_servers { - if [ -f $CONFIGURATION_FILE ]; then - if grep -q "FRIENDS_MIRRORS_SERVER" $CONFIGURATION_FILE; then - FRIENDS_MIRRORS_SERVER=$(grep "FRIENDS_MIRRORS_SERVER" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "FRIENDS_MIRRORS_SSH_PORT" $CONFIGURATION_FILE; then - FRIENDS_MIRRORS_SSH_PORT=$(grep "FRIENDS_MIRRORS_SSH_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "MY_MIRRORS_PASSWORD" $CONFIGURATION_FILE; then - MY_MIRRORS_PASSWORD=$(grep "MY_MIRRORS_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "FRIENDS_MIRRORS_PASSWORD" $CONFIGURATION_FILE; then - FRIENDS_MIRRORS_PASSWORD=$(grep "FRIENDS_MIRRORS_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - fi - - if [ ! $FRIENDS_MIRRORS_SERVER ]; then - return - fi - if [ ${#FRIENDS_MIRRORS_SERVER} -lt 2 ]; then - return - fi - - MAIN_COMMAND=/usr/local/bin/${PROJECT_NAME} - if [ ! -f $MAIN_COMMAND ]; then - MAIN_COMMAND=/usr/bin/${PROJECT_NAME} - fi - - REPOS=($(cat ${MAIN_COMMAND} | grep "_REPO=\"" | uniq -u | sed 's|${PROJECT_NAME}|'"${PROJECT_NAME}"'|g')) - - for line in "${REPOS[@]}" - do - repo_name=$(echo "$line" | awk -F '=' '{print $1}') - mirrors_name=$(echo "$repo_name" | sed "s|_REPO||g" | awk '{print tolower($0)}') - friends_repo_url="ssh://mirrors@${FRIENDS_MIRRORS_SERVER}:${FRIENDS_MIRRORS_SSH_PORT}/home/mirrors/${mirrors_name}" - ${repo_name}="${friends_repo_url}" - done -} - -function read_configuration { - # if not installing on a Beaglebone then use sdb as the USB drive by default - if [ ! $INSTALLING_ON_BBB ]; then - if [[ $USB_DRIVE == /dev/sda1 ]]; then - USB_DRIVE=/dev/sdb1 - fi - fi - - if [[ $INSTALLING_FROM_CONFIGURATION_FILE == "yes" ]]; then - if [ ! -f $CONFIGURATION_FILE ]; then - echo $"The configuration file $CONFIGURATION_FILE was not found" - exit 8935 - fi - fi - - if [ -f $CONFIGURATION_FILE ]; then - read_repo_servers - - # Ensure that a copy of the config exists for upgrade purposes - if [[ $CONFIGURATION_FILE != "/root/${PROJECT_NAME}.cfg" ]]; then - cp $CONFIGURATION_FILE /root/${PROJECT_NAME}.cfg - fi - if grep -q "REFRESH_GPG_KEYS_HOURS" $CONFIGURATION_FILE; then - REFRESH_GPG_KEYS_HOURS=$(grep "REFRESH_GPG_KEYS_HOURS" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "WEBMAIL_REPO" $CONFIGURATION_FILE; then - WEBMAIL_REPO=$(grep "WEBMAIL_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "WEBMAIL_COMMIT" $CONFIGURATION_FILE; then - WEBMAIL_COMMIT=$(grep "WEBMAIL_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "WIFI_INTERFACE" $CONFIGURATION_FILE; then - WIFI_INTERFACE=$(grep "WIFI_INTERFACE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "WIFI_SSID" $CONFIGURATION_FILE; then - WIFI_SSID=$(grep "WIFI_SSID" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "WIFI_TYPE" $CONFIGURATION_FILE; then - WIFI_TYPE=$(grep "WIFI_TYPE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "WIFI_PASSPHRASE" $CONFIGURATION_FILE; then - WIFI_PASSPHRASE=$(grep "WIFI_PASSPHRASE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "WIFI_HOTSPOT" $CONFIGURATION_FILE; then - WIFI_HOTSPOT=$(grep "WIFI_HOTSPOT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "WIFI_NETWORKS_FILE" $CONFIGURATION_FILE; then - WIFI_NETWORKS_FILE=$(grep "WIFI_NETWORKS_FILE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "SYNCTHING_ID" $CONFIGURATION_FILE; then - SYNCTHING_ID=$(grep "SYNCTHING_ID" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "SYNCTHING_CONFIG_PATH" $CONFIGURATION_FILE; then - SYNCTHING_CONFIG_PATH=$(grep "SYNCTHING_CONFIG_PATH" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "SYNCTHING_CONFIG_FILE" $CONFIGURATION_FILE; then - SYNCTHING_CONFIG_FILE=$(grep "SYNCTHING_CONFIG_FILE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "SYNCTHING_RELAY_SERVER" $CONFIGURATION_FILE; then - SYNCTHING_RELAY_SERVER=$(grep "SYNCTHING_RELAY_SERVER" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "SYNCTHING_RELEASES" $CONFIGURATION_FILE; then - SYNCTHING_RELEASES=$(grep "SYNCTHING_RELEASES" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "SYNCTHING_PORT" $CONFIGURATION_FILE; then - SYNCTHING_PORT=$(grep "SYNCTHING_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "SYNCTHING_SHARED_DATA" $CONFIGURATION_FILE; then - SYNCTHING_SHARED_DATA=$(grep "SYNCTHING_SHARED_DATA" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "VOIP_TURN_PORT" $CONFIGURATION_FILE; then - VOIP_TURN_PORT=$(grep "VOIP_TURN_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "VOIP_TURN_TLS_PORT" $CONFIGURATION_FILE; then - VOIP_TURN_TLS_PORT=$(grep "VOIP_TURN_TLS_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "VOIP_TURN_NONCE" $CONFIGURATION_FILE; then - VOIP_TURN_NONCE=$(grep "VOIP_TURN_NONCE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "DEFAULT_SEARCH" $CONFIGURATION_FILE; then - DEFAULT_SEARCH=$(grep "DEFAULT_SEARCH" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "SEARCH_ENGINE_PASSWORD" $CONFIGURATION_FILE; then - SEARCH_ENGINE_PASSWORD=$(grep "SEARCH_ENGINE_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "XMPP_PASSWORD" $CONFIGURATION_FILE; then - XMPP_PASSWORD=$(grep "XMPP_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "RSS_READER_REPO" $CONFIGURATION_FILE; then - RSS_READER_REPO=$(grep "RSS_READER_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "RSS_MOBILE_READER_REPO" $CONFIGURATION_FILE; then - RSS_MOBILE_READER_REPO=$(grep "RSS_MOBILE_READER_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "RSS_READER_COMMIT" $CONFIGURATION_FILE; then - RSS_READER_COMMIT=$(grep "RSS_READER_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "RSS_MOBILE_READER_COMMIT" $CONFIGURATION_FILE; then - RSS_MOBILE_READER_COMMIT=$(grep "RSS_MOBILE_READER_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "RSS_READER_ADMIN_PASSWORD" $CONFIGURATION_FILE; then - RSS_READER_ADMIN_PASSWORD=$(grep "RSS_READER_ADMIN_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "RSS_READER_DOMAIN_NAME" $CONFIGURATION_FILE; then - RSS_READER_DOMAIN_NAME=$(grep "RSS_READER_DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "MICROBLOG_BACKGROUND_IMAGE_URL" $CONFIGURATION_FILE; then - MICROBLOG_BACKGROUND_IMAGE_URL=$(grep "MICROBLOG_BACKGROUND_IMAGE_URL" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "MICROBLOG_WELCOME_MESSAGE" $CONFIGURATION_FILE; then - MICROBLOG_WELCOME_MESSAGE=$(grep "MICROBLOG_WELCOME_MESSAGE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "PROJECT_WEBSITE" $CONFIGURATION_FILE; then - PROJECT_WEBSITE=$(grep "PROJECT_WEBSITE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "PROJECT_REPO" $CONFIGURATION_FILE; then - PROJECT_REPO=$(grep "PROJECT_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "ONION_ONLY" $CONFIGURATION_FILE; then - ONION_ONLY=$(grep "ONION_ONLY" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "IRC_PASSWORD" $CONFIGURATION_FILE; then - IRC_PASSWORD=$(grep "IRC_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "DEFAULT_LANGUAGE" $CONFIGURATION_FILE; then - DEFAULT_LANGUAGE=$(grep "DEFAULT_LANGUAGE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "MINIMAL_INSTALL" $CONFIGURATION_FILE; then - MINIMAL_INSTALL=$(grep "MINIMAL_INSTALL" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "LETSENCRYPT_SERVER" $CONFIGURATION_FILE; then - LETSENCRYPT_SERVER=$(grep "LETSENCRYPT_SERVER" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "FULLBLOG_REPO" $CONFIGURATION_FILE; then - FULLBLOG_REPO=$(grep "FULLBLOG_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "FULLBLOG_COMMIT" $CONFIGURATION_FILE; then - FULLBLOG_COMMIT=$(grep "FULLBLOG_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "GOGS_COMMIT" $CONFIGURATION_FILE; then - GOGS_COMMIT=$(grep "GOGS_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "TOXCORE_COMMIT" $CONFIGURATION_FILE; then - TOXCORE_COMMIT=$(grep "TOXCORE_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "TOXIC_COMMIT" $CONFIGURATION_FILE; then - TOXIC_COMMIT=$(grep "TOXIC_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "GPGIT_REPO" $CONFIGURATION_FILE; then - GPGIT_REPO=$(grep "GPGIT_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "GPGIT_COMMIT" $CONFIGURATION_FILE; then - GPGIT_COMMIT=$(grep "GPGIT_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "HUBZILLA_REPO" $CONFIGURATION_FILE; then - HUBZILLA_REPO=$(grep "HUBZILLA_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "HUBZILLA_COMMIT" $CONFIGURATION_FILE; then - HUBZILLA_COMMIT=$(grep "HUBZILLA_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "IPFS_COMMIT" $CONFIGURATION_FILE; then - IPFS_COMMIT=$(grep "IPFS_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "ZERONET_BLOG_COMMIT" $CONFIGURATION_FILE; then - ZERONET_BLOG_COMMIT=$(grep "ZERONET_BLOG_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "ZERONET_MAIL_COMMIT" $CONFIGURATION_FILE; then - ZERONET_MAIL_COMMIT=$(grep "ZERONET_MAIL_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "ZERONET_FORUM_COMMIT" $CONFIGURATION_FILE; then - ZERONET_FORUM_COMMIT=$(grep "ZERONET_FORUM_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "MICROBLOG_COMMIT" $CONFIGURATION_FILE; then - MICROBLOG_COMMIT=$(grep "MICROBLOG_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "NGINX_ENSITE_REPO" $CONFIGURATION_FILE; then - NGINX_ENSITE_REPO=$(grep "NGINX_ENSITE_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "NGINX_ENSITE_COMMIT" $CONFIGURATION_FILE; then - NGINX_ENSITE_COMMIT=$(grep "NGINX_ENSITE_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "CLEANUP_MAILDIR_COMMIT" $CONFIGURATION_FILE; then - CLEANUP_MAILDIR_COMMIT=$(grep "CLEANUP_MAILDIR_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "CLEANUP_MAILDIR_REPO" $CONFIGURATION_FILE; then - CLEANUP_MAILDIR_REPO=$(grep "CLEANUP_MAILDIR_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "ZERONET_COMMIT" $CONFIGURATION_FILE; then - ZERONET_COMMIT=$(grep "ZERONET_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "INADYN_REPO" $CONFIGURATION_FILE; then - INADYN_REPO=$(grep "INADYN_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "INADYN_COMMIT" $CONFIGURATION_FILE; then - INADYN_COMMIT=$(grep "INADYN_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "GPG_KEYSERVER" $CONFIGURATION_FILE; then - GPG_KEYSERVER=$(grep "GPG_KEYSERVER" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "IPFS_PORT" $CONFIGURATION_FILE; then - IPFS_PORT=$(grep "IPFS_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "TRACKER_PORT" $CONFIGURATION_FILE; then - TRACKER_PORT=$(grep "TRACKER_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "ZERONET_PORT" $CONFIGURATION_FILE; then - ZERONET_PORT=$(grep "ZERONET_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "DH_KEYLENGTH" $CONFIGURATION_FILE; then - DH_KEYLENGTH=$(grep "DH_KEYLENGTH" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "IRC_PORT" $CONFIGURATION_FILE; then - IRC_PORT=$(grep "IRC_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "WIFI_CHANNEL" $CONFIGURATION_FILE; then - WIFI_CHANNEL=$(grep "WIFI_CHANNEL" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "BATMAN_CELLID" $CONFIGURATION_FILE; then - BATMAN_CELLID=$(grep "BATMAN_CELLID" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "TOX_PORT" $CONFIGURATION_FILE; then - TOX_PORT=$(grep "TOX_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "TOX_NODES" $CONFIGURATION_FILE; then - TOX_NODES=$(grep "TOX_NODES" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "TOXCORE_REPO" $CONFIGURATION_FILE; then - TOXCORE_REPO=$(grep "TOXCORE_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "ENABLE_SOCIAL_KEY_MANAGEMENT" $CONFIGURATION_FILE; then - ENABLE_SOCIAL_KEY_MANAGEMENT=$(grep "ENABLE_SOCIAL_KEY_MANAGEMENT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "IPV6_NETWORK" $CONFIGURATION_FILE; then - IPV6_NETWORK=$(grep "IPV6_NETWORK" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "HWRNG_TYPE" $CONFIGURATION_FILE; then - HWRNG_TYPE=$(grep "HWRNG_TYPE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "MEDIA_SERVER_ADMIN_PASSWORD" $CONFIGURATION_FILE; then - MEDIA_SERVER_ADMIN_PASSWORD=$(grep "MEDIA_SERVER_ADMIN_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "MEDIA_SERVER_DOMAIN_NAME" $CONFIGURATION_FILE; then - MEDIA_SERVER_DOMAIN_NAME=$(grep "MEDIA_SERVER_DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "MEDIA_SERVER_CODE" $CONFIGURATION_FILE; then - MEDIA_SERVER_CODE=$(grep "MEDIA_SERVER_CODE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "MEDIA_SERVER_REPO" $CONFIGURATION_FILE; then - MEDIA_SERVER_REPO=$(grep "MEDIA_SERVER_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "MEDIA_SERVER_COMMIT" $CONFIGURATION_FILE; then - MEDIA_SERVER_COMMIT=$(grep "MEDIA_SERVER_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "MEDIAGOBLIN_DOMAIN_NAME" $CONFIGURATION_FILE; then - MEDIAGOBLIN_DOMAIN_NAME=$(grep "MEDIAGOBLIN_DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "MEDIAGOBLIN_CODE" $CONFIGURATION_FILE; then - MEDIAGOBLIN_CODE=$(grep "MEDIAGOBLIN_CODE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "MEDIAGOBLIN_REPO" $CONFIGURATION_FILE; then - MEDIAGOBLIN_REPO=$(grep "MEDIAGOBLIN_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "MEDIAGOBLIN_COMMIT" $CONFIGURATION_FILE; then - MEDIAGOBLIN_COMMIT=$(grep "MEDIAGOBLIN_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "GIT_ADMIN_PASSWORD" $CONFIGURATION_FILE; then - GIT_ADMIN_PASSWORD=$(grep "GIT_ADMIN_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "GIT_DOMAIN_NAME" $CONFIGURATION_FILE; then - GIT_DOMAIN_NAME=$(grep "GIT_DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "GIT_CODE" $CONFIGURATION_FILE; then - GIT_CODE=$(grep "GIT_CODE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "SYSTEM_TYPE" $CONFIGURATION_FILE; then - SYSTEM_TYPE=$(grep "SYSTEM_TYPE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "SSL_PROTOCOLS" $CONFIGURATION_FILE; then - SSL_PROTOCOLS=$(grep "SSL_PROTOCOLS" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "SSL_CIPHERS" $CONFIGURATION_FILE; then - SSL_CIPHERS=$(grep "SSL_CIPHERS" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "SSH_CIPHERS" $CONFIGURATION_FILE; then - SSH_CIPHERS=$(grep "SSH_CIPHERS" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "SSH_MACS" $CONFIGURATION_FILE; then - SSH_MACS=$(grep "SSH_MACS" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "SSH_KEX" $CONFIGURATION_FILE; then - SSH_KEX=$(grep "SSH_KEX" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "SSH_HOST_KEY_ALGORITHMS" $CONFIGURATION_FILE; then - SSH_HOST_KEY_ALGORITHMS=$(grep "SSH_HOST_KEY_ALGORITHMS" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "SSH_PASSWORDS" $CONFIGURATION_FILE; then - SSH_PASSWORDS=$(grep "SSH_PASSWORDS" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "XMPP_CIPHERS" $CONFIGURATION_FILE; then - XMPP_CIPHERS=$(grep "XMPP_CIPHERS" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "XMPP_ECC_CURVE" $CONFIGURATION_FILE; then - XMPP_ECC_CURVE=$(grep "XMPP_ECC_CURVE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "MY_USERNAME" $CONFIGURATION_FILE; then - MY_USERNAME=$(grep "MY_USERNAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "DOMAIN_NAME" $CONFIGURATION_FILE; then - # for backwards compatability - DEFAULT_DOMAIN_NAME=$(grep "DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "DEFAULT_DOMAIN_NAME" $CONFIGURATION_FILE; then - DEFAULT_DOMAIN_NAME=$(grep "DEFAULT_DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "DEFAULT_DOMAIN_CODE" $CONFIGURATION_FILE; then - DEFAULT_DOMAIN_CODE=$(grep "DEFAULT_DOMAIN_CODE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "NAMESERVER1" $CONFIGURATION_FILE; then - NAMESERVER1=$(grep "NAMESERVER1" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "NAMESERVER2" $CONFIGURATION_FILE; then - NAMESERVER2=$(grep "NAMESERVER2" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "DEBIAN_REPO" $CONFIGURATION_FILE; then - DEBIAN_REPO=$(grep "DEBIAN_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - CHECK_MESSAGE=$"Check your internet connection, /etc/network/interfaces and /etc/resolv.conf, then delete $COMPLETION_FILE, run 'rm -fR /var/lib/apt/lists/* && apt-get update --fix-missing' and run this script again. If hash sum mismatches persist then try setting $DEBIAN_REPO to a different mirror and also change /etc/apt/sources.list." - fi - if grep -q "VOIP_PORT" $CONFIGURATION_FILE; then - VOIP_PORT=$(grep "VOIP_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "VOIP_SERVER_PASSWORD" $CONFIGURATION_FILE; then - VOIP_SERVER_PASSWORD=$(grep "VOIP_SERVER_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "SIP_PORT" $CONFIGURATION_FILE; then - SIP_PORT=$(grep "SIP_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "SIP_TLS_PORT" $CONFIGURATION_FILE; then - SIP_TLS_PORT=$(grep "SIP_TLS_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "SIP_SERVER_PASSWORD" $CONFIGURATION_FILE; then - SIP_SERVER_PASSWORD=$(grep "SIP_SERVER_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "GET_IP_ADDRESS_URL" $CONFIGURATION_FILE; then - GET_IP_ADDRESS_URL=$(grep "GET_IP_ADDRESS_URL" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "DDNS_PROVIDER" $CONFIGURATION_FILE; then - DDNS_PROVIDER=$(grep "DDNS_PROVIDER" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "DDNS_USERNAME" $CONFIGURATION_FILE; then - DDNS_USERNAME=$(grep "DDNS_USERNAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "DDNS_PASSWORD" $CONFIGURATION_FILE; then - DDNS_PASSWORD=$(grep "DDNS_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "LOCAL_NETWORK_STATIC_IP_ADDRESS" $CONFIGURATION_FILE; then - LOCAL_NETWORK_STATIC_IP_ADDRESS=$(grep "LOCAL_NETWORK_STATIC_IP_ADDRESS" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "ENABLE_BABEL" $CONFIGURATION_FILE; then - ENABLE_BABEL=$(grep "ENABLE_BABEL" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "ENABLE_BATMAN" $CONFIGURATION_FILE; then - ENABLE_BATMAN=$(grep "ENABLE_BATMAN" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "ENABLE_CJDNS" $CONFIGURATION_FILE; then - ENABLE_CJDNS=$(grep "ENABLE_CJDNS" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "CJDNS_COMMIT" $CONFIGURATION_FILE; then - CJDNS_COMMIT=$(grep "CJDNS_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "CJDNS_IPV6" $CONFIGURATION_FILE; then - CJDNS_IPV6=$(grep "CJDNS_IPV6" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "CJDNS_PUBLIC_KEY" $CONFIGURATION_FILE; then - CJDNS_PUBLIC_KEY=$(grep "CJDNS_PUBLIC_KEY" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "CJDNS_PRIVATE_KEY" $CONFIGURATION_FILE; then - CJDNS_PRIVATE_KEY=$(grep "CJDNS_PRIVATE_KEY" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "ROUTER_IP_ADDRESS" $CONFIGURATION_FILE; then - ROUTER_IP_ADDRESS=$(grep "ROUTER_IP_ADDRESS" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "CPU_CORES" $CONFIGURATION_FILE; then - CPU_CORES=$(grep "CPU_CORES" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "WEBSERVER_LOG_LEVEL" $CONFIGURATION_FILE; then - WEBSERVER_LOG_LEVEL=$(grep "WEBSERVER_LOG_LEVEL" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "ROUTE_THROUGH_TOR" $CONFIGURATION_FILE; then - ROUTE_THROUGH_TOR=$(grep "ROUTE_THROUGH_TOR" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "WIKI_TITLE" $CONFIGURATION_FILE; then - WIKI_TITLE=$(grep "WIKI_TITLE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "MY_NAME" $CONFIGURATION_FILE; then - MY_NAME=$(grep "MY_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "MY_EMAIL_ADDRESS" $CONFIGURATION_FILE; then - MY_EMAIL_ADDRESS=$(grep "MY_EMAIL_ADDRESS" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "INSTALLING_ON_BBB" $CONFIGURATION_FILE; then - INSTALLING_ON_BBB=$(grep "INSTALLING_ON_BBB" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "SSH_PORT" $CONFIGURATION_FILE; then - SSH_PORT=$(grep "SSH_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "INSTALLED_WITHIN_DOCKER" $CONFIGURATION_FILE; then - INSTALLED_WITHIN_DOCKER=$(grep "INSTALLED_WITHIN_DOCKER" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "PUBLIC_MAILING_LIST" $CONFIGURATION_FILE; then - PUBLIC_MAILING_LIST=$(grep "PUBLIC_MAILING_LIST" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "MICROBLOG_DOMAIN_NAME" $CONFIGURATION_FILE; then - MICROBLOG_DOMAIN_NAME=$(grep "MICROBLOG_DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "MICROBLOG_CODE" $CONFIGURATION_FILE; then - MICROBLOG_CODE=$(grep "MICROBLOG_CODE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "HUBZILLA_DOMAIN_NAME" $CONFIGURATION_FILE; then - HUBZILLA_DOMAIN_NAME=$(grep "HUBZILLA_DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "HUBZILLA_CODE" $CONFIGURATION_FILE; then - HUBZILLA_CODE=$(grep "HUBZILLA_CODE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "WIKI_DOMAIN_NAME" $CONFIGURATION_FILE; then - WIKI_DOMAIN_NAME=$(grep "WIKI_DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "WIKI_CODE" $CONFIGURATION_FILE; then - WIKI_CODE=$(grep "WIKI_CODE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "FULLBLOG_DOMAIN_NAME" $CONFIGURATION_FILE; then - FULLBLOG_DOMAIN_NAME=$(grep "FULLBLOG_DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "FULLBLOG_CODE" $CONFIGURATION_FILE; then - FULLBLOG_CODE=$(grep "FULLBLOG_CODE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "MY_BLOG_TITLE" $CONFIGURATION_FILE; then - MY_BLOG_TITLE=$(grep "MY_BLOG_TITLE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "MY_BLOG_SUBTITLE" $CONFIGURATION_FILE; then - MY_BLOG_SUBTITLE=$(grep "MY_BLOG_SUBTITLE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "GPG_ENCRYPT_STORED_EMAIL" $CONFIGURATION_FILE; then - GPG_ENCRYPT_STORED_EMAIL=$(grep "GPG_ENCRYPT_STORED_EMAIL" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "MY_GPG_PUBLIC_KEY" $CONFIGURATION_FILE; then - MY_GPG_PUBLIC_KEY=$(grep "MY_GPG_PUBLIC_KEY" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "MY_GPG_PRIVATE_KEY" $CONFIGURATION_FILE; then - MY_GPG_PRIVATE_KEY=$(grep "MY_GPG_PRIVATE_KEY" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "MY_GPG_PUBLIC_KEY_ID" $CONFIGURATION_FILE; then - MY_GPG_PUBLIC_KEY_ID=$(grep "MY_GPG_PUBLIC_KEY_ID" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "USB_DRIVE" $CONFIGURATION_FILE; then - USB_DRIVE=$(grep "USB_DRIVE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "MAX_PHP_MEMORY" $CONFIGURATION_FILE; then - MAX_PHP_MEMORY=$(grep "MAX_PHP_MEMORY" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "TLS_TIME_SOURCE1" $CONFIGURATION_FILE; then - TLS_TIME_SOURCE1=$(grep "TLS_TIME_SOURCE1" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - if grep -q "TLS_TIME_SOURCE2" $CONFIGURATION_FILE; then - TLS_TIME_SOURCE2=$(grep "TLS_TIME_SOURCE2" $CONFIGURATION_FILE | awk -F '=' '{print $2}') - fi - fi - echo "System type: $SYSTEM_TYPE" -} - -function set_default_onion_domains { - # If sites are only visible via Tor then for installation - # purposes assign them some default domain names - if [[ $ONION_ONLY == "no" ]]; then - return - fi - - if [ ${#MICROBLOG_DOMAIN_NAME} -gt 1 ]; then - MICROBLOG_DOMAIN_NAME='microblog.local' - fi - if [ ${#FULLBLOG_DOMAIN_NAME} -gt 1 ]; then - FULLBLOG_DOMAIN_NAME='blog.local' - fi - if [ ${#WIKI_DOMAIN_NAME} -gt 1 ]; then - WIKI_DOMAIN_NAME='wiki.local' - fi - if [ ${#DEFAULT_DOMAIN_NAME} -gt 1 ]; then - DEFAULT_DOMAIN_NAME="${PROJECT_NAME}.local" - fi - if [ ${#GIT_DOMAIN_NAME} -gt 1 ]; then - GIT_DOMAIN_NAME='git.local' - fi - if [ ${#MEDIAGOBLIN_DOMAIN_NAME} -gt 1 ]; then - MEDIAGOBLIN_DOMAIN_NAME='media.local' - fi -} - -function nginx_disable_sniffing { - domain_name=$1 - filename=/etc/nginx/sites-available/$domain_name - echo ' add_header X-Frame-Options DENY;' >> $filename - echo ' add_header X-Content-Type-Options nosniff;' >> $filename - echo '' >> $filename -} - -function nginx_limits { - domain_name=$1 - max_body='20m' - if [ $2 ]; then - max_body=$2 - fi - filename=/etc/nginx/sites-available/$domain_name - echo " client_max_body_size ${max_body};" >> $filename - echo ' client_body_buffer_size 128k;' >> $filename - echo '' >> $filename - echo ' limit_conn conn_limit_per_ip 10;' >> $filename - echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> $filename - echo '' >> $filename -} - -function nginx_http_redirect { - # redirect port 80 to https - domain_name=$1 - filename=/etc/nginx/sites-available/$domain_name - echo 'server {' > $filename - echo ' listen 80;' >> $filename - echo ' listen [::]:80;' >> $filename - echo " server_name ${domain_name};" >> $filename - echo " root /var/www/${domain_name}/htdocs;" >> $filename - echo ' access_log off;' >> $filename - echo " error_log /var/log/nginx/${domain_name}_error.log $WEBSERVER_LOG_LEVEL;" >> $filename - nginx_limits $domain_name - echo ' rewrite ^ https://$server_name$request_uri? permanent;' >> $filename - echo '}' >> $filename - echo '' >> $filename -} - -function nginx_ssl { - # creates the SSL/TLS section for a website - domain_name=$1 - filename=/etc/nginx/sites-available/$domain_name - echo ' ssl on;' >> $filename - echo " ssl_certificate /etc/ssl/certs/${domain_name}.crt;" >> $filename - echo " ssl_certificate_key /etc/ssl/private/${domain_name}.key;" >> $filename - echo " ssl_dhparam /etc/ssl/certs/${domain_name}.dhparam;" >> $filename - echo '' >> $filename - echo ' ssl_session_timeout 60m;' >> $filename - echo ' ssl_prefer_server_ciphers on;' >> $filename - echo " ssl_protocols $SSL_PROTOCOLS;" >> $filename - echo " ssl_ciphers '$SSL_CIPHERS';" >> $filename -} - -function rss_reader_modifications { - # modify the rss reader to use a socks5 proxy rather than a http proxy - if [ ! -d $RSS_READER_PATH ]; then - return - fi - - # ensure that socks5 proxy is used - if ! grep -q "CURLOPT_PROXYTYPE" $RSS_READER_PATH/plugins/af_unburn/init.php; then - sed -i '/curl_setopt($ch, CURLOPT_PROXY, _CURL_HTTP_PROXY);/a \\t\t\t\t\tcurl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);' $RSS_READER_PATH/plugins/af_unburn/init.php - fi - if ! grep -q "CURLOPT_PROXYTYPE" $RSS_READER_PATH/include/functions.php; then - sed -i '/curl_setopt($ch, CURLOPT_PROXY, _CURL_HTTP_PROXY);/a \\t\t\t\tcurl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);' $RSS_READER_PATH/include/functions.php - fi - chown -R www-data:www-data $RSS_READER_PATH - chmod a+x $RSS_READER_PATH -} - -function wait_for_onion_service { - onion_service_name="$1" - - sleep_ctr=0 - while [ ! -f /var/lib/tor/hidden_service_${onion_service_name}/hostname ]; do - sleep 1 - sleep_ctr=$((sleep_ctr + 1)) - if [ $sleep_ctr -gt 10 ]; then - break - fi - done - - if [ ! -f /var/lib/tor/hidden_service_${onion_service_name}/hostname ]; then - # restart and try a second time - systemctl restart tor - sleep_ctr=0 - while [ ! -f /var/lib/tor/hidden_service_${onion_service_name}/hostname ]; do - sleep 1 - sleep_ctr=$((sleep_ctr + 1)) - if [ $sleep_ctr -gt 10 ]; then - break - fi - done - fi -} - -function add_onion_service { - onion_service_name="$1" - onion_service_port_from=$2 - onion_service_port_to=$3 - - if [ -f /var/lib/tor/hidden_service_${onion_service_name}/hostname ]; then - echo $(cat /var/lib/tor/hidden_service_${onion_service_name}/hostname) - return - fi - - if [ ! -d /var/lib/tor ]; then - echo $"No Tor installation found. ${onion_service_name} onion site cannot be configured." - exit 877367 - fi - if ! grep -q "hidden_service_${onion_service_name}" /etc/tor/torrc; then - echo "HiddenServiceDir /var/lib/tor/hidden_service_${onion_service_name}/" >> /etc/tor/torrc - echo "HiddenServicePort ${onion_service_port_from} 127.0.0.1:${onion_service_port_to}" >> /etc/tor/torrc - fi - - systemctl restart tor - wait_for_onion_service ${onion_service_name} - - if [ ! -f /var/lib/tor/hidden_service_${onion_service_name}/hostname ]; then - echo $"${onion_service_name} onion site hostname not found" - exit 76362 - fi - echo $(cat /var/lib/tor/hidden_service_${onion_service_name}/hostname) -} - -function setup_wifi { - if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - if [ ! $WIFI_SSID ]; then - return - fi - if [ ${#WIFI_SSID} -lt 2 ]; then - return - fi - if grep -Fxq "setup_wifi" $COMPLETION_FILE; then - return - fi - - HOTSPOT='no' - if [[ $WIFI_HOTSPOT != 'no' ]]; then - HOTSPOT='yes' - fi - - if [ -f $WIFI_NETWORKS_FILE ]; then - ${PROJECT_NAME}-wifi -i $WIFI_INTERFACE --networks $WIFI_NETWORKS_FILE - echo 'setup_wifi' >> $COMPLETION_FILE - return - fi - - if [[ $WIFI_TYPE != 'none' ]]; then - if [ ! $WIFI_PASSPHRASE ]; then - echo $'No wifi passphrase was given' - return - fi - if [ ${#WIFI_PASSPHRASE} -lt 2 ]; then - echo $'Wifi passphrase was too short' - return - fi - ${PROJECT_NAME}-wifi -i $WIFI_INTERFACE -s $WIFI_SSID -t $WIFI_TYPE -p $WIFI_PASSPHRASE --hotspot $HOTSPOT --networks $WIFI_NETWORKS_FILE - else - ${PROJECT_NAME}-wifi -i $WIFI_INTERFACE -s $WIFI_SSID -t $WIFI_TYPE --hotspot $HOTSPOT --networks $WIFI_NETWORKS_FILE - fi - echo 'setup_wifi' >> $COMPLETION_FILE -} - -function create_avahi_onion_domains { - if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - if [ ! -d /etc/avahi/services ]; then - return - fi - if [ $MICROBLOG_DOMAIN_NAME ]; then - echo '' > /etc/avahi/services/microblog.service - echo '' >> /etc/avahi/services/microblog.service - echo '' >> /etc/avahi/services/microblog.service - echo ' %h HTTP' >> /etc/avahi/services/microblog.service - echo ' ' >> /etc/avahi/services/microblog.service - echo ' _http._tcp' >> /etc/avahi/services/microblog.service - echo " $MICROBLOG_ONION_PORT" >> /etc/avahi/services/microblog.service - echo ' ' >> /etc/avahi/services/microblog.service - echo '' >> /etc/avahi/services/microblog.service - fi - if [ $FULLBLOG_DOMAIN_NAME ]; then - echo '' > /etc/avahi/services/blog.service - echo '' >> /etc/avahi/services/blog.service - echo '' >> /etc/avahi/services/blog.service - echo ' %h HTTP' >> /etc/avahi/services/blog.service - echo ' ' >> /etc/avahi/services/blog.service - echo ' _http._tcp' >> /etc/avahi/services/blog.service - echo " $BLOG_ONION_PORT" >> /etc/avahi/services/blog.service - echo ' ' >> /etc/avahi/services/blog.service - echo '' >> /etc/avahi/services/blog.service - fi - if [ $GIT_DOMAIN_NAME ]; then - echo '' > /etc/avahi/services/git.service - echo '' >> /etc/avahi/services/git.service - echo '' >> /etc/avahi/services/git.service - echo ' %h HTTP' >> /etc/avahi/services/git.service - echo ' ' >> /etc/avahi/services/git.service - echo ' _http._tcp' >> /etc/avahi/services/git.service - echo " $GIT_ONION_PORT" >> /etc/avahi/services/git.service - echo ' ' >> /etc/avahi/services/git.service - echo '' >> /etc/avahi/services/git.service - fi - if [ $WIKI_DOMAIN_NAME ]; then - echo '' > /etc/avahi/services/wiki.service - echo '' >> /etc/avahi/services/wiki.service - echo '' >> /etc/avahi/services/wiki.service - echo ' %h HTTP' >> /etc/avahi/services/wiki.service - echo ' ' >> /etc/avahi/services/wiki.service - echo ' _http._tcp' >> /etc/avahi/services/wiki.service - echo " $WIKI_ONION_PORT" >> /etc/avahi/services/wiki.service - echo ' ' >> /etc/avahi/services/wiki.service - echo '' >> /etc/avahi/services/wiki.service - fi -} - -# check an individual domain name -function test_domain_name { - if [ $1 ]; then - TEST_DOMAIN_NAME=$1 - validate_domain_name - if [[ $TEST_DOMAIN_NAME != $1 ]]; then - echo $TEST_DOMAIN_NAME - exit 8528 - fi - fi -} - -# check that domain names are sensible -function check_domains { - if [ ${#WIKI_DOMAIN_NAME} -gt 1 ]; then - test_domain_name "$WIKI_DOMAIN_NAME" - - if [[ "$test_domain_name" == "$FULLBLOG_DOMAIN_NAME" ]]; then - echo $'Wiki domain name is the same as blog domain name. They must be different' - exit 97326 - fi - if [[ "$test_domain_name" == "$MICROBLOG_DOMAIN_NAME" ]]; then - echo $'Wiki domain name is the same as microblog domain name. They must be different' - exit 36827 - fi - if [[ "$test_domain_name" == "$HUBZILLA_DOMAIN_NAME" ]]; then - echo $'Wiki domain name is the same as hubzilla domain name. They must be different' - exit 65848 - fi - if [ ${#GIT_DOMAIN_NAME} -gt 1 ]; then - if [[ "$test_domain_name" == "$GIT_DOMAIN_NAME" ]]; then - echo $'Wiki domain name is the same as Gogs domain name. They must be different' - exit 73529 - fi - fi - fi - - if [ ${#FULLBLOG_DOMAIN_NAME} -gt 1 ]; then - test_domain_name "$FULLBLOG_DOMAIN_NAME" - - if [[ "$test_domain_name" == "$WIKI_DOMAIN_NAME" ]]; then - echo $'Blog domain name is the same as wiki domain name. They must be different' - exit 62348 - fi - if [[ "$test_domain_name" == "$MICROBLOG_DOMAIN_NAME" ]]; then - echo $'Blog domain name is the same as microblog domain name. They must be different' - exit 38236 - fi - if [[ "$test_domain_name" == "$HUBZILLA_DOMAIN_NAME" ]]; then - echo $'Blog domain name is the same as hubzilla domain name. They must be different' - exit 35483 - fi - if [ $GIT_DOMAIN_NAME ]; then - if [[ "$test_domain_name" == "$GIT_DOMAIN_NAME" ]]; then - echo $'Blog domain name is the same as Gogs domain name. They must be different' - exit 84695 - fi - fi - fi - - if [ ${#MICROBLOG_DOMAIN_NAME} -gt 1 ]; then - test_domain_name "$MICROBLOG_DOMAIN_NAME" - - if [[ "$test_domain_name" == "$WIKI_DOMAIN_NAME" ]]; then - echo $'Microblog domain name is the same as wiki domain name. They must be different' - exit 73924 - fi - if [[ "$test_domain_name" == "$FULLBLOG_DOMAIN_NAME" ]]; then - echo $'Microblog domain name is the same as blog domain name. They must be different' - exit 26832 - fi - if [[ "$test_domain_name" == "$HUBZILLA_DOMAIN_NAME" ]]; then - echo $'Microblog domain name is the same as hubzilla domain name. They must be different' - exit 678382 - fi - if [ $GIT_DOMAIN_NAME ]; then - if [[ "$test_domain_name" == "$GIT_DOMAIN_NAME" ]]; then - echo $'Microblog domain name is the same as Gogs domain name. They must be different' - exit 684325 - fi - fi - fi - - if [ $HUBZILLA_DOMAIN_NAME ]; then - test_domain_name "$HUBZILLA_DOMAIN_NAME" - - if [[ "$test_domain_name" == "$WIKI_DOMAIN_NAME" ]]; then - echo $'Hubzilla domain name is the same as wiki domain name. They must be different' - exit 83682 - fi - if [[ "$test_domain_name" == "$FULLBLOG_DOMAIN_NAME" ]]; then - echo $'Hubzilla domain name is the same as blog domain name. They must be different' - exit 74817 - fi - if [[ "$test_domain_name" == "$MICROBLOG_DOMAIN_NAME" ]]; then - echo $'Hubzilla domain name is the same as microblog domain name. They must be different' - exit 83683 - fi - if [ ${#GIT_DOMAIN_NAME} -gt 1 ]; then - if [[ "$test_domain_name" == "$GIT_DOMAIN_NAME" ]]; then - echo $'Hubzilla domain name is the same as Gogs domain name. They must be different' - exit 135523 - fi - fi - fi - - if [ ${#GIT_DOMAIN_NAME} -gt 1 ]; then - test_domain_name "$GIT_DOMAIN_NAME" - - if [[ "$test_domain_name" == "$WIKI_DOMAIN_NAME" ]]; then - echo $'Hubzilla domain name is the same as wiki domain name. They must be different' - exit 83682 - fi - if [[ "$test_domain_name" == "$FULLBLOG_DOMAIN_NAME" ]]; then - echo $'Hubzilla domain name is the same as blog domain name. They must be different' - exit 74817 - fi - if [[ "$test_domain_name" == "$MICROBLOG_DOMAIN_NAME" ]]; then - echo $'Hubzilla domain name is the same as microblog domain name. They must be different' - exit 83683 - fi - if [[ "$test_domain_name" == "$HUBZILLA_DOMAIN_NAME" ]]; then - echo $'Microblog domain name is the same as hubzilla domain name. They must be different' - exit 678382 - fi - fi -} - -# Checks whether certificates were generated for the given hostname -function check_certificates { - if [ ! $1 ]; then - return - fi - USE_LETSENCRYPT='no' - if [ $2 ]; then - USE_LETSENCRYPT=$2 - fi - if [[ $USE_LETSENCRYPT == 'no' ]]; then - if [ ! -f /etc/ssl/private/$1.key ]; then - echo $"Private certificate for $CHECK_HOSTNAME was not created" - exit 63959 - fi - if [ ! -f /etc/ssl/certs/$1.crt ]; then - echo $"Public certificate for $CHECK_HOSTNAME was not created" - exit 7679 - fi - else - if [ ! -f /etc/letsencrypt/live/${1}/privkey.pem ]; then - echo $"Private certificate for $CHECK_HOSTNAME was not created" - exit 6282 - fi - if [ ! -f /etc/letsencrypt/live/${1}/fullchain.pem ]; then - echo $"Public certificate for $CHECK_HOSTNAME was not created" - exit 5328 - fi - fi - if [ ! -f /etc/ssl/certs/$1.dhparam ]; then - echo $"Diffie–Hellman parameters for $CHECK_HOSTNAME were not created" - exit 5989 - fi -} - -function create_site_certificate { - SITE_DOMAIN_NAME="$1" - - # if yes then only "valid" certs are allowed, not self-signed - NO_SELF_SIGNED='no' - if [ $2 ]; then - NO_SELF_SIGNED="$2" - fi - - if [[ $ONION_ONLY == "no" ]]; then - if [ ! -f /etc/ssl/certs/$SITE_DOMAIN_NAME.dhparam ]; then - if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then - ${PROJECT_NAME}-addcert -h $SITE_DOMAIN_NAME --dhkey $DH_KEYLENGTH - check_certificates $SITE_DOMAIN_NAME - else - ${PROJECT_NAME}-addcert -e $SITE_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH --email $MY_EMAIL_ADDRESS - if [ ! "$?" = "0" ]; then - if [[ $NO_SELF_SIGNED == 'no' ]]; then - echo $"Lets Encrypt failed for $SITE_DOMAIN_NAME, so try making a self-signed cert" - ${PROJECT_NAME}-addcert -h $SITE_DOMAIN_NAME --dhkey $DH_KEYLENGTH - check_certificates $SITE_DOMAIN_NAME - else - echo $"Lets Encrypt failed for $SITE_DOMAIN_NAME" - exit 682529 - fi - else - check_certificates $SITE_DOMAIN_NAME 'yes' - fi - fi - fi - fi -} - -function install_not_on_BBB { - if grep -Fxq "install_not_on_BBB" $COMPLETION_FILE; then - return - fi - if [[ INSTALLING_ON_BBB == "yes" ]]; then - return - fi - if [ ! $LOCAL_NETWORK_STATIC_IP_ADDRESS ]; then - return - fi - - echo '# The loopback network interface' > /etc/network/interfaces - echo 'auto lo' >> /etc/network/interfaces - echo 'iface lo inet loopback' >> /etc/network/interfaces - echo '' >> /etc/network/interfaces - echo '# The primary network interface' >> /etc/network/interfaces - echo 'auto eth0' >> /etc/network/interfaces - echo 'iface eth0 inet static' >> /etc/network/interfaces - echo " address $LOCAL_NETWORK_STATIC_IP_ADDRESS" >> /etc/network/interfaces - echo ' netmask 255.255.255.0' >> /etc/network/interfaces - echo " gateway $ROUTER_IP_ADDRESS" >> /etc/network/interfaces - echo " dns-nameservers $NAMESERVER1 $NAMESERVER2" >> /etc/network/interfaces - echo '# Example to keep MAC address between reboots' >> /etc/network/interfaces - echo '#hwaddress ether DE:AD:BE:EF:CA:FE' >> /etc/network/interfaces - echo '' >> /etc/network/interfaces - echo '# The secondary network interface' >> /etc/network/interfaces - echo '#auto eth1' >> /etc/network/interfaces - echo '#iface eth1 inet dhcp' >> /etc/network/interfaces - echo '' >> /etc/network/interfaces - echo '# WiFi Example' >> /etc/network/interfaces - echo "#auto $WIFI_INTERFACE" >> /etc/network/interfaces - echo "#iface $WIFI_INTERFACE inet dhcp" >> /etc/network/interfaces - echo '# wpa-ssid "essid"' >> /etc/network/interfaces - echo '# wpa-psk "password"' >> /etc/network/interfaces - echo '' >> /etc/network/interfaces - echo '# Ethernet/RNDIS gadget (g_ether)' >> /etc/network/interfaces - echo '# ... or on host side, usbnet and random hwaddr' >> /etc/network/interfaces - echo '# Note on some boards, usb0 is automaticly setup with an init script' >> /etc/network/interfaces - echo '#iface usb0 inet static' >> /etc/network/interfaces - echo '# address 192.168.7.2' >> /etc/network/interfaces - echo '# netmask 255.255.255.0' >> /etc/network/interfaces - echo '# network 192.168.7.0' >> /etc/network/interfaces - echo '# gateway 192.168.7.1' >> /etc/network/interfaces - - echo 'install_not_on_BBB' >> $COMPLETION_FILE -} - -function mark_admin_user_account { - if ! grep -q "Admin user:" $COMPLETION_FILE; then - echo "Admin user:$MY_USERNAME" >> $COMPLETION_FILE - fi -} - -function mark_blog_domain { - if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - if ! grep -q "Blog domain:" $COMPLETION_FILE; then - echo "Blog domain:$FULLBLOG_DOMAIN_NAME" >> $COMPLETION_FILE - fi -} - -function randomize_cron { - # The predictable default timing of Debian cron jobs might - # be exploitable knowledge. Avoid too much predictability - # by randomizing the times when cron jobs run - if grep -Fxq "randomize_cron" $COMPLETION_FILE; then - return - fi - - # randomize the day on which the weekly cron job runs - randdow=$(($RANDOM%6+1)) - sed -i "s|\* \* 7|* * $randdow|g" /etc/crontab - - # randomize the time when the weekly cron job runs - randmin=$(($RANDOM%60)) - randhr=$(($RANDOM%3+1)) - sed -i "s|47 6|$randmin $randhr|g" /etc/crontab - - # randomize the time when the daily cron job runs - randmin=$(($RANDOM%60)) - randhr=$(($RANDOM%3+4)) - sed -i "s|25 6\t\* \* \*|$randmin $randhr\t* * *|g" /etc/crontab - - # randomize the time when the hourly cron job runs - randmin=$(($RANDOM%60)) - sed -i "s|17 \*\t|$randmin *\t|g" /etc/crontab - - # randomize monthly cron job time and day - randmin=$(($RANDOM%60)) - randhr=$(($RANDOM%22+1)) - randdom=$(($RANDOM%27+1)) - sed -i "s|52 6\t|$randmin $randhr\t|g" /etc/crontab - sed -i "s|\t1 \* \*|\t$randdom * *|g" /etc/crontab - - systemctl restart cron - - echo 'randomize_cron' >> $COMPLETION_FILE -} - -function get_cjdns_public_key { - if [ -f /home/$MY_USERNAME/README ]; then - if grep -q "cjdns public key" /home/$MY_USERNAME/README; then - if [ ! $CJDNS_PUBLIC_KEY ]; then - CJDNS_PUBLIC_KEY=$(cat /home/$MY_USERNAME/README | grep "cjdns public key" | awk -F ':' '{print $2}' | sed 's/^ *//') - fi - fi - fi -} - -function get_cjdns_private_key { - if [ -f /home/$MY_USERNAME/README ]; then - if grep -q "cjdns private key" /home/$MY_USERNAME/README; then - if [ ! $CJDNS_PRIVATE_KEY ]; then - CJDNS_PRIVATE_KEY=$(cat /home/$MY_USERNAME/README | grep "cjdns private key" | awk -F ':' '{print $2}' | sed 's/^ *//') - fi - fi - fi -} - -function get_cjdns_ipv6_address { - if [ -f /home/$MY_USERNAME/README ]; then - if grep -q "cjdns IPv6 address" /home/$MY_USERNAME/README; then - if [ ! $CJDNS_IPV6 ]; then - CJDNS_IPV6=$(cat /home/$MY_USERNAME/README | grep "cjdns IPv6 address" | awk -F ':' '{print $2}' | sed 's/^ *//') - fi - fi - fi -} - -function get_cjdns_port { - if [ -f /home/$MY_USERNAME/README ]; then - if grep -q "cjdns port" /home/$MY_USERNAME/README; then - if [ ! $CJDNS_PORT ]; then - CJDNS_PORT=$(cat /home/$MY_USERNAME/README | grep "cjdns port" | awk -F ':' '{print $2}' | sed 's/^ *//') - fi - fi - fi -} - -function get_cjdns_password { - if [ -f /home/$MY_USERNAME/README ]; then - if grep -q "cjdns password" /home/$MY_USERNAME/README; then - if [ ! $CJDNS_PASSWORD ]; then - CJDNS_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "cjdns password" | awk -F ':' '{print $2}' | sed 's/^ *//') - fi - fi - fi -} - -# script to automatically renew any Let's Encrypt certificates -function letsencrypt_renewals { - if [[ $ONION_ONLY != "no" ]]; then - return - fi - - renewals_script=/etc/cron.monthly/letsencrypt - renewals_retry_script=/etc/cron.daily/letsencrypt - renewal_failure_msg=$'The certificate for $LETSENCRYPT_DOMAIN could not be renewed' - renewal_email_title=$'${PROJECT_NAME} Lets Encrypt certificate renewal' - - # the main script tries to renew once per month - echo '#!/bin/bash' > $renewals_script - echo '' >> $renewals_script - echo "PROJECT_NAME='${PROJECT_NAME}'" >> $renewals_script - echo 'COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt' >> $renewals_script - echo '' >> $renewals_script - echo 'if [ -d /etc/letsencrypt ]; then' >> $renewals_script - echo ' if [ -f ~/letsencrypt_failed ]; then' >> $renewals_script - echo ' rm ~/letsencrypt_failed' >> $renewals_script - echo ' fi' >> $renewals_script - echo -n ' ADMIN_USERNAME=$(cat $COMPLETION_FILE | grep "Admin user" | ' >> $renewals_script - echo -n "awk -F ':' '{print " >> $renewals_script - echo -n '$2' >> $renewals_script - echo "}')" >> $renewals_script - echo ' ADMIN_EMAIL_ADDRESS=$ADMIN_USERNAME@$HOSTNAME' >> $renewals_script - echo ' for d in /etc/letsencrypt/live/*/ ; do' >> $renewals_script - echo -n ' LETSENCRYPT_DOMAIN=$(echo "$d" | ' >> $renewals_script - echo -n "awk -F '/' '{print " >> $renewals_script - echo -n '$5' >> $renewals_script - echo "}')" >> $renewals_script - echo ' if [ -f /etc/nginx/sites-available/$LETSENCRYPT_DOMAIN ]; then' >> $renewals_script - echo ' ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt' >> $renewals_script - echo ' if [ ! "$?" = "0" ]; then' >> $renewals_script - echo " echo \"${renewal_failure_msg}\" > ~/temp_renewletsencrypt.txt" >> $renewals_script - echo ' echo "" >> ~/temp_renewletsencrypt.txt' >> $renewals_script - echo ' ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt 2>> ~/temp_renewletsencrypt.txt' >> $renewals_script - echo -n " cat ~/temp_renewletsencrypt.txt | mail -s \"${renewal_email_title}\" " >> $renewals_script - echo '$ADMIN_EMAIL_ADDRESS' >> $renewals_script - echo ' rm ~/temp_renewletsencrypt.txt' >> $renewals_script - echo ' if [ ! -f ~/letsencrypt_failed ]; then' >> $renewals_script - echo ' touch ~/letsencrypt_failed' >> $renewals_script - echo ' fi' >> $renewals_script - echo ' fi' >> $renewals_script - echo ' fi' >> $renewals_script - echo ' done' >> $renewals_script - echo 'fi' >> $renewals_script - chmod +x $renewals_script - - # a secondary script keeps trying to renew after a failure - echo '#!/bin/bash' > $renewals_retry_script - echo '' >> $renewals_retry_script - echo "PROJECT_NAME='${PROJECT_NAME}'" >> $renewals_retry_script - echo 'COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt' >> $renewals_retry_script - echo '' >> $renewals_retry_script - echo 'if [ -d /etc/letsencrypt ]; then' >> $renewals_retry_script - echo ' if [ -f ~/letsencrypt_failed ]; then' >> $renewals_retry_script - echo ' rm ~/letsencrypt_failed' >> $renewals_retry_script - echo -n ' ADMIN_USERNAME=$(cat $COMPLETION_FILE | grep "Admin user" | ' >> $renewals_retry_script - echo -n "awk -F ':' '{print " >> $renewals_retry_script - echo -n '$2' >> $renewals_retry_script - echo "}')" >> $renewals_retry_script - echo ' ADMIN_EMAIL_ADDRESS=$ADMIN_USERNAME@$HOSTNAME' >> $renewals_retry_script - echo ' for d in /etc/letsencrypt/live/*/ ; do' >> $renewals_retry_script - echo -n ' LETSENCRYPT_DOMAIN=$(echo "$d" | ' >> $renewals_retry_script - echo -n "awk -F '/' '{print " >> $renewals_retry_script - echo -n '$5' >> $renewals_retry_script - echo "}')" >> $renewals_retry_script - echo ' if [ -f /etc/nginx/sites-available/$LETSENCRYPT_DOMAIN ]; then' >> $renewals_retry_script - echo ' ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt' >> $renewals_retry_script - echo ' if [ ! "$?" = "0" ]; then' >> $renewals_retry_script - echo " echo \"${renewal_failure_msg}\" > ~/temp_renewletsencrypt.txt" >> $renewals_retry_script - echo ' echo "" >> ~/temp_renewletsencrypt.txt' >> $renewals_retry_script - echo ' ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt 2>> ~/temp_renewletsencrypt.txt' >> $renewals_retry_script - echo -n " cat ~/temp_renewletsencrypt.txt | mail -s \"${renewal_email_title}\" " >> $renewals_retry_script - echo '$ADMIN_EMAIL_ADDRESS' >> $renewals_retry_script - echo ' rm ~/temp_renewletsencrypt.txt' >> $renewals_retry_script - echo ' if [ ! -f ~/letsencrypt_failed ]; then' >> $renewals_retry_script - echo ' touch ~/letsencrypt_failed' >> $renewals_retry_script - echo ' fi' >> $renewals_retry_script - echo ' fi' >> $renewals_retry_script - echo ' fi' >> $renewals_retry_script - echo ' done' >> $renewals_retry_script - echo ' fi' >> $renewals_retry_script - echo 'fi' >> $renewals_retry_script - chmod +x $renewals_retry_script -} - -function save_firewall_settings { - iptables-save > /etc/firewall.conf - ip6tables-save > /etc/firewall6.conf - printf '#!/bin/sh\n' > /etc/network/if-up.d/iptables - printf 'iptables-restore < /etc/firewall.conf\n' >> /etc/network/if-up.d/iptables - printf 'ip6tables-restore < /etc/firewall6.conf\n' >> /etc/network/if-up.d/iptables - chmod +x /etc/network/if-up.d/iptables -} - -function enable_ipv6 { - # endure that ipv6 is enabled and can route - sed -i 's/net.ipv6.conf.all.disable_ipv6.*/net.ipv6.conf.all.disable_ipv6 = 0/g' /etc/sysctl.conf - #sed -i "s/net.ipv6.conf.all.accept_redirects.*/net.ipv6.conf.all.accept_redirects = 1/g" /etc/sysctl.conf - #sed -i "s/net.ipv6.conf.all.accept_source_route.*/net.ipv6.conf.all.accept_source_route = 1/g" /etc/sysctl.conf - sed -i "s/net.ipv6.conf.all.forwarding.*/net.ipv6.conf.all.forwarding=1/g" /etc/sysctl.conf - echo 1 > /proc/sys/net/ipv6/conf/all/forwarding -} - -function mesh_cjdns { - if [[ $ENABLE_CJDNS != "yes" ]]; then - return - fi - - # update to the next commit - set_repo_commit /etc/cjdns "cjdns commit" "$CJDNS_COMMIT" $CJDNS_REPO - - if grep -Fxq "mesh_cjdns" $COMPLETION_FILE; then - return - fi - - apt-get -y install nodejs git build-essential nmap - - # if a README exists then obtain the cjdns parameters - get_cjdns_ipv6_address - get_cjdns_public_key - get_cjdns_private_key - get_cjdns_port - get_cjdns_password - - # special compile settings for running ./do on the Beaglebone Black - if [[ $INSTALLING_ON_BBB == "yes" ]]; then - CFLAGS="-O2 -march=armv7-a -mtune=cortex-a8 -mfpu=neon -ftree-vectorize -ffast-math -mfloat-abi=hard -marm -Wno-error=maybe-uninitialized" - export LDFLAGS="$CFLAGS" - fi - - if [ ! -d /etc/cjdns ]; then - git_clone $CJDNS_REPO /etc/cjdns - cd /etc/cjdns - - git checkout $CJDNS_COMMIT -b $CJDNS_COMMIT - if ! grep -q "cjdns commit" $COMPLETION_FILE; then - echo "cjdns commit:$CJDNS_COMMIT" >> $COMPLETION_FILE - else - sed -i "s/cjdns commit.*/cjdns commit:$CJDNS_COMMIT/g" $COMPLETION_FILE - fi - - ./do - if [ ! "$?" = "0" ]; then - exit 7439 - fi - # create a configuration - if [ ! -f /etc/cjdns/cjdroute.conf ]; then - ./cjdroute --genconf > /etc/cjdns/cjdroute.conf - if [ ! "$?" = "0" ]; then - exit 5922 - fi - fi - # create a user to run as - useradd cjdns - else - cd /etc/cjdns - git_pull $CJDNS_REPO - ./do - if [ ! "$?" = "0" ]; then - exit 9926 - fi - fi - - # set permissions - chown -R cjdns:cjdns /etc/cjdns - chmod 600 /etc/cjdns/cjdroute.conf - - /sbin/ip tuntap add mode tun user cjdns dev cjdroute0 - - # insert values into the configuration file - if [ $CJDNS_PRIVATE_KEY ]; then - sed -i "s/\"privateKey\":.*/\"privateKey\": \"$CJDNS_PRIVATE_KEY\",/g" /etc/cjdns/cjdroute.conf - else - CJDNS_PRIVATE_KEY=$(cat /etc/cjdns/cjdroute.conf | grep '"privateKey"' | awk -F '"' '{print $4}' | sed -n 1p) - fi - if [ $CJDNS_PUBLIC_KEY ]; then - sed -i "s/\"publicKey\":.*/\"publicKey\": \"$CJDNS_PUBLIC_KEY\",/g" /etc/cjdns/cjdroute.conf - else - CJDNS_PUBLIC_KEY=$(cat /etc/cjdns/cjdroute.conf | grep '"publicKey"' | awk -F '"' '{print $4}' | sed -n 1p) - fi - if [ $CJDNS_IPV6 ]; then - sed -i "s/\"ipv6\":.*/\"ipv6\": \"$CJDNS_IPV6\",/g" /etc/cjdns/cjdroute.conf - else - CJDNS_IPV6=$(cat /etc/cjdns/cjdroute.conf | grep '"ipv6"' | awk -F '"' '{print $4}' | sed -n 1p) - fi - if [ $CJDNS_PASSWORD ]; then - sed -i "0,/{\"password\":.*/s//{\"password\": \"$CJDNS_PASSWORD\"}/g" /etc/cjdns/cjdroute.conf - else - CJDNS_PASSWORD=$(cat /etc/cjdns/cjdroute.conf | grep '"password"' | awk -F '"' '{print $4}' | sed -n 1p) - fi - if [ $CJDNS_PORT ]; then - sed -i "s/\"bind\": \"0.0.0.0:.*/\"bind\": \"0.0.0.0:$CJDNS_PORT\",/g" /etc/cjdns/cjdroute.conf - else - CJDNS_PORT=$(cat /etc/cjdns/cjdroute.conf | grep '"bind": "0.0.0.0:' | awk -F '"' '{print $4}' | awk -F ':' '{print $2}' | sed -n 1p) - fi - - enable_ipv6 - - echo '#!/bin/sh -e' > /etc/init.d/cjdns - echo '### BEGIN INIT INFO' >> /etc/init.d/cjdns - echo '# hyperboria.sh - An init script (/etc/init.d/) for cjdns' >> /etc/init.d/cjdns - echo '# Provides: cjdroute' >> /etc/init.d/cjdns - echo '# Required-Start: $remote_fs $network' >> /etc/init.d/cjdns - echo '# Required-Stop: $remote_fs $network' >> /etc/init.d/cjdns - echo '# Default-Start: 2 3 4 5' >> /etc/init.d/cjdns - echo '# Default-Stop: 0 1 6' >> /etc/init.d/cjdns - echo '# Short-Description: Cjdns router' >> /etc/init.d/cjdns - echo '# Description: A routing engine designed for security, scalability, speed and ease of use.' >> /etc/init.d/cjdns - echo '# cjdns git repo: https://github.com/cjdelisle/cjdns/' >> /etc/init.d/cjdns - echo '### END INIT INFO' >> /etc/init.d/cjdns - echo '' >> /etc/init.d/cjdns - echo 'PROG="cjdroute"' >> /etc/init.d/cjdns - echo 'GIT_PATH="/etc/cjdns"' >> /etc/init.d/cjdns - echo 'PROG_PATH="/etc/cjdns"' >> /etc/init.d/cjdns - echo 'CJDNS_CONFIG="cjdroute.conf"' >> /etc/init.d/cjdns - echo 'CJDNS_USER="cjdns"' >> /etc/init.d/cjdns - echo "CJDNS_IP='$CJDNS_IPV6'" >> /etc/init.d/cjdns - echo '' >> /etc/init.d/cjdns - echo 'start() {' >> /etc/init.d/cjdns - echo ' # Start it up with the user cjdns' >> /etc/init.d/cjdns - echo ' if [ $(pgrep cjdroute | wc -l) != 0 ];' >> /etc/init.d/cjdns - echo ' then' >> /etc/init.d/cjdns - echo ' echo "cjdroute is already running. Doing nothing..."' >> /etc/init.d/cjdns - echo ' else' >> /etc/init.d/cjdns - echo ' echo " * Starting cjdroute"' >> /etc/init.d/cjdns - echo ' su -c "$PROG_PATH/$PROG < $PROG_PATH/$CJDNS_CONFIG" - $CJDNS_USER' >> /etc/init.d/cjdns - echo ' /sbin/ip addr add $CJDNS_IP/8 dev tun0' >> /etc/init.d/cjdns - echo ' /sbin/ip link set mtu 1312 dev tun0' >> /etc/init.d/cjdns - echo ' /sbin/ip link set tun0 up' >> /etc/init.d/cjdns - echo ' /sbin/ip tuntap add mode tun user cjdns dev tun0' >> /etc/init.d/cjdns - echo ' fi' >> /etc/init.d/cjdns - echo '}' >> /etc/init.d/cjdns - echo '' >> /etc/init.d/cjdns - echo 'stop() {' >> /etc/init.d/cjdns - echo '' >> /etc/init.d/cjdns - echo ' if [ $(pgrep cjdroute | wc -l) != 2 ];' >> /etc/init.d/cjdns - echo ' then' >> /etc/init.d/cjdns - echo ' echo "cjdns isnt running."' >> /etc/init.d/cjdns - echo ' else' >> /etc/init.d/cjdns - echo ' echo "Killing cjdroute"' >> /etc/init.d/cjdns - echo ' killall cjdroute' >> /etc/init.d/cjdns - echo ' fi' >> /etc/init.d/cjdns - echo '}' >> /etc/init.d/cjdns - echo '' >> /etc/init.d/cjdns - echo 'status() {' >> /etc/init.d/cjdns - echo ' if [ $(pgrep cjdroute | wc -l) != 0 ];' >> /etc/init.d/cjdns - echo ' then' >> /etc/init.d/cjdns - echo ' echo "Cjdns is running"' >> /etc/init.d/cjdns - echo ' else' >> /etc/init.d/cjdns - echo ' echo "Cjdns is not running"' >> /etc/init.d/cjdns - echo ' fi' >> /etc/init.d/cjdns - echo '}' >> /etc/init.d/cjdns - echo '' >> /etc/init.d/cjdns - echo ' update() {' >> /etc/init.d/cjdns - echo ' cd $GIT_PATH' >> /etc/init.d/cjdns - echo ' echo "Updating..."' >> /etc/init.d/cjdns - echo ' git pull' >> /etc/init.d/cjdns - echo ' ./do' >> /etc/init.d/cjdns - echo '}' >> /etc/init.d/cjdns - echo '' >> /etc/init.d/cjdns - echo '## Check to see if we are running as root first.' >> /etc/init.d/cjdns - echo 'if [ "$(id -u)" != "0" ]; then' >> /etc/init.d/cjdns - echo ' echo "This script must be run as root" 1>&2' >> /etc/init.d/cjdns - echo ' exit 1' >> /etc/init.d/cjdns - echo 'fi' >> /etc/init.d/cjdns - echo '' >> /etc/init.d/cjdns - echo 'case $1 in' >> /etc/init.d/cjdns - echo ' start)' >> /etc/init.d/cjdns - echo ' start' >> /etc/init.d/cjdns - echo ' exit 0' >> /etc/init.d/cjdns - echo ' ;;' >> /etc/init.d/cjdns - echo ' stop)' >> /etc/init.d/cjdns - echo ' stop' >> /etc/init.d/cjdns - echo ' exit 0' >> /etc/init.d/cjdns - echo ' ;;' >> /etc/init.d/cjdns - echo ' reload|restart|force-reload)' >> /etc/init.d/cjdns - echo ' stop' >> /etc/init.d/cjdns - echo ' sleep 1' >> /etc/init.d/cjdns - echo ' start' >> /etc/init.d/cjdns - echo ' exit 0' >> /etc/init.d/cjdns - echo ' ;;' >> /etc/init.d/cjdns - echo ' status)' >> /etc/init.d/cjdns - echo ' status' >> /etc/init.d/cjdns - echo ' exit 0' >> /etc/init.d/cjdns - echo ' ;;' >> /etc/init.d/cjdns - echo ' update|upgrade)' >> /etc/init.d/cjdns - echo ' update' >> /etc/init.d/cjdns - echo ' stop' >> /etc/init.d/cjdns - echo ' sleep 2' >> /etc/init.d/cjdns - echo ' start' >> /etc/init.d/cjdns - echo ' exit 0' >> /etc/init.d/cjdns - echo ' ;;' >> /etc/init.d/cjdns - echo ' **)' >> /etc/init.d/cjdns - echo ' echo "Usage: $0 (start|stop|restart|status|update)" 1>&2' >> /etc/init.d/cjdns - echo ' exit 1' >> /etc/init.d/cjdns - echo ' ;;' >> /etc/init.d/cjdns - echo 'esac' >> /etc/init.d/cjdns - chmod +x /etc/init.d/cjdns - update-rc.d cjdns defaults - service cjdns start - if [ ! "$?" = "0" ]; then - systemctl status cjdns.service - exit 8260 - fi - - apt-get -y install radvd - echo 'interface eth0' > /etc/radvd.conf - echo '{' >> /etc/radvd.conf - echo ' AdvSendAdvert on;' >> /etc/radvd.conf - echo ' prefix fdfc::1/64' >> /etc/radvd.conf - echo ' {' >> /etc/radvd.conf - echo ' AdvRouterAddr on;' >> /etc/radvd.conf - echo ' };' >> /etc/radvd.conf - echo '};' >> /etc/radvd.conf - systemctl restart radvd - if [ ! "$?" = "0" ]; then - systemctl status radvd.service - exit 4395 - fi - - if ! grep -q "# Mesh Networking (cjdns)" /etc/network/interfaces; then - echo '' >> /etc/network/interfaces - echo '# Mesh Networking (cjdns)' >> /etc/network/interfaces - echo 'iface eth0 inet6 static' >> /etc/network/interfaces - echo ' pre-up modprobe ipv6' >> /etc/network/interfaces - echo ' address fdfc:0000:0000:0000:0000:0000:0000:0001' >> /etc/network/interfaces - echo ' netmask 64' >> /etc/network/interfaces - service network-manager restart - if [ ! "$?" = "0" ]; then - systemctl status networking.service - exit 6949 - fi - fi - - ip6tables -A INPUT -p udp --dport $CJDNS_PORT -j ACCEPT - ip6tables -A INPUT -p tcp --dport $CJDNS_PORT -j ACCEPT - save_firewall_settings - - if ! grep -q $"Mesh Networking (cjdns)" /home/$MY_USERNAME/README; then - CURRENT_IP_ADDRESS=$(ip addr show | grep "inet " | sed -n 2p | awk -F ' ' '{print $2}' | awk -F '/' '{print $1}') - - echo '' >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - echo $'Mesh Networking (cjdns)' >> /home/$MY_USERNAME/README - echo '=======================' >> /home/$MY_USERNAME/README - echo $"cjdns IPv6 address: $CJDNS_IPV6" >> /home/$MY_USERNAME/README - echo $"cjdns public key: $CJDNS_PUBLIC_KEY" >> /home/$MY_USERNAME/README - echo $"cjdns private key: $CJDNS_PRIVATE_KEY" >> /home/$MY_USERNAME/README - echo $"cjdns password: $CJDNS_PASSWORD" >> /home/$MY_USERNAME/README - echo $"cjdns port: $CJDNS_PORT" >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - echo $"Forward port $CJDNS_PORT from your internet router to the ${PROJECT_NAME}" >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - echo $'Below is an example of your connection credentials' >> /home/$MY_USERNAME/README - echo $'that you can give to other people so they can connect' >> /home/$MY_USERNAME/README - echo $'to you using your default password' >> /home/$MY_USERNAME/README - echo $'Adding a unique password for each user is advisable' >> /home/$MY_USERNAME/README - echo $'so that leaks can be isolated.' >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - echo "\"$CURRENT_IP_ADDRESS:$CJDNS_PORT\":{\"password\":\"$CJDNS_PASSWORD\",\"publicKey\":\"$CJDNS_PUBLIC_KEY\"}" >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - echo $'More is not better. 3-5 cjdns peers is good. 30 peers is bad.' >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - echo $'NEVER USE A PUBLIC PEER. These degrade the network and make it centralized.' >> /home/$MY_USERNAME/README - echo $'Each node can handle many peers, but no node can handle the entire internet.' >> /home/$MY_USERNAME/README - echo $'As this network grows any public peer will simply become saturated and' >> /home/$MY_USERNAME/README - echo $'useless causing issues for the entire network.' >> /home/$MY_USERNAME/README - echo $'Please report anyone offering you a public peer as they are promoting shared' >> /home/$MY_USERNAME/README - echo $'passwords which could lead to people pretending to be you. A peering pass' >> /home/$MY_USERNAME/README - echo $'should not contain someone elses nickname or info but should contain yours' >> /home/$MY_USERNAME/README - echo $'to ensure it is not shared. It also helps when editing the conf to know who' >> /home/$MY_USERNAME/README - echo $'each password is for.' >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - echo $'Possible cjdns destinations of interest:' >> /home/$MY_USERNAME/README - echo ' http://transitiontech.ca/faq' >> /home/$MY_USERNAME/README - echo ' http://cjdns.ca/hypeirc.txt' >> /home/$MY_USERNAME/README - chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README - chmod 600 /home/$MY_USERNAME/README - fi - - echo 'mesh_cjdns' >> $COMPLETION_FILE -} - -function create_mirrors { - if [ -d /home/trove ]; then - userdel -r trove - fi - if grep -Fxq "create_mirrors" $COMPLETION_FILE; then - return - fi - ${PROJECT_NAME}-mirrors - echo 'create_mirrors' >> $COMPLETION_FILE -} - -function select_go_version { - if [ ! -d $GVM_HOME/bin ]; then - echo $'GVM was not installed' - exit 629532 - fi - export GVM_ROOT=$GVM_HOME - if ! grep -q "GVM_ROOT=" ~/.bashrc; then - echo "export GVM_ROOT=$GVM_ROOT" >> ~/.bashrc - else - sed -i "s|export GVM_ROOT=.*|export GVM_ROOT=$GVM_ROOT|g" ~/.bashrc - fi - cd $GVM_ROOT/bin - [[ -s "$GVM_ROOT/scripts/gvm" ]] && source "$GVM_ROOT/scripts/gvm" - gvm use go${GO_VERSION} --default - systemctl set-environment GOPATH=$GOPATH - - if [ ${#GOPATH} -lt 2 ]; then - echo $'GOPATH was not set' - exit 629825 - fi -} - -function mesh_cjdns_tools { - if grep -Fxq "mesh_cjdns_tools" $COMPLETION_FILE; then - return - fi - if [[ $ENABLE_CJDNS != "yes" ]]; then - return - fi - if [ ! -d /etc/cjdns ]; then - mesh_cjdns - fi - - select_go_version - - apt-get -y install golang mercurial - if [ ! -f ~/.bashrc ]; then - touch ~/.bashrc - fi - - if [ ! -d /home/git ]; then - # add a gogs user account - adduser --disabled-login --gecos 'Gogs' git - - # install Go - if ! grep -q "export GOPATH=" ~/.bashrc; then - echo "export GOPATH=$GOPATH" >> ~/.bashrc - fi - systemctl set-environment GOPATH=$GOPATH - if ! grep -q "systemctl set-environment GOPATH=" ~/.bashrc; then - echo "systemctl set-environment GOPATH=$GOPATH" >> ~/.bashrc - fi - if [ ! -d $GOPATH ]; then - mkdir -p $GOPATH - fi - fi - - if ! grep -q "export GOPATH=" ~/.bashrc; then - echo "export GOPATH=$GOPATH" >> ~/.bashrc - fi - expected_go_path='export PATH=$PATH:'${GOPATH}'/bin' - export PATH=$PATH:${GOPATH}/bin - if ! grep -q "$expected_go_path" ~/.bashrc; then - echo "$expected_go_path" >> ~/.bashrc - fi - export PATH=$PATH:$GOPATH/bin - CJDCMD_REPO2=$(echo "$CJDCMD_REPO" | sed 's|https://||g') - go get $CJDCMD_REPO2 - if [ ! -f $GOPATH/bin/cjdcmd ]; then - echo $'cjdcmd was not compiled. Check your golang installation' - exit 7439 - fi - cp $GOPATH/bin/cjdcmd /usr/bin - - # initialise from the cjdns config - /usr/bin/cjdcmd cjdnsadmin -file /etc/cjdns/cjdroute.conf - - echo 'mesh_cjdns_tools' >> $COMPLETION_FILE -} - -function install_zeronet_blog { - if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then - return - fi - - set_repo_commit $MESH_INSTALL_DIR/zeronet/ZeroBlog "ZeroNet Blog commit" "$ZERONET_BLOG_COMMIT" $ZERONET_BLOG_REPO - - if grep -Fxq "install_zeronet_blog" $COMPLETION_FILE; then - return - fi - - if [ ! -f /home/$MY_USERNAME/README ]; then - touch /home/$MY_USERNAME/README - fi - - if grep -q "ZeroNet Blog address" /home/$MY_USERNAME/README; then - return - fi - - if [ ! -d /etc/avahi ]; then - echo $'Avahi is not installed' - exit 736 - fi - - ZERONET_DEFAULT_BLOG_TITLE="${MY_USERNAME}'s Blog" - - cd $MESH_INSTALL_DIR/zeronet - python zeronet.py --batch siteCreate 2> $MESH_INSTALL_DIR/zeronet/blog.txt - if [ ! -f $MESH_INSTALL_DIR/zeronet/blog.txt ]; then - echo $'Unable to create blog' - exit 479 - fi - blog_address=$(cat blog.txt | grep "Site address" | awk -F ':' '{print $2}') - blog_private_key=$(cat blog.txt | grep "Site private key" | awk -F ':' '{print $2}') - ZERONET_BLOG_ADDRESS=${blog_address//[[:blank:]]/} - ZERONET_BLOG_PRIVATE_KEY=${blog_private_key//[[:blank:]]/} - - if [ ${#ZERONET_BLOG_ADDRESS} -lt 20 ]; then - echo $"Address: $ZERONET_BLOG_ADDRESS" - echo $"Public key: $ZERONET_BLOG_PRIVATE_KEY" - echo $'Unable to create zeronet blog address' - exit 7358 - fi - - if [ ${#ZERONET_BLOG_PRIVATE_KEY} -lt 20 ]; then - echo $"Address: $ZERONET_BLOG_ADDRESS" - echo $"Public key: $ZERONET_BLOG_PRIVATE_KEY" - echo $'Unable to create zeronet blog private key' - exit 1639 - fi - - if [ ! -d "$MESH_INSTALL_DIR/zeronet/data/$ZERONET_BLOG_ADDRESS" ]; then - echo $"Unable to find site directory: $MESH_INSTALL_DIR/zeronet/data/$ZERONET_BLOG_ADDRESS" - exit 7638 - fi - - git_clone $ZERONET_BLOG_REPO ZeroBlog - if [ ! -d $MESH_INSTALL_DIR/zeronet/ZeroBlog ]; then - echo $'ZeroBlog repo could not be cloned' - exit 6739 - fi - cd $MESH_INSTALL_DIR/zeronet/ZeroBlog - git checkout $ZERONET_BLOG_COMMIT -b $ZERONET_BLOG_COMMIT - if ! grep -q "ZeroNet Blog commit" $COMPLETION_FILE; then - echo "ZeroNet Blog commit:$ZERONET_BLOG_COMMIT" >> $COMPLETION_FILE - else - sed -i "s/ZeroNet Blog commit.*/ZeroNet Blog commit:$ZERONET_BLOG_COMMIT/g" $COMPLETION_FILE - fi - - echo $"ZeroNet Blog address: $ZERONET_BLOG_ADDRESS" - echo $"ZeroNet Blog private key: $ZERONET_BLOG_PRIVATE_KEY" - cp -r $MESH_INSTALL_DIR/zeronet/ZeroBlog/* $MESH_INSTALL_DIR/zeronet/data/$ZERONET_BLOG_ADDRESS - - if [ ! -d $MESH_INSTALL_DIR/zeronet/data/$ZERONET_BLOG_ADDRESS/data ]; then - mkdir $MESH_INSTALL_DIR/zeronet/data/$ZERONET_BLOG_ADDRESS/data - fi - cp $MESH_INSTALL_DIR/zeronet/data/$ZERONET_BLOG_ADDRESS/data-default/data.json $MESH_INSTALL_DIR/zeronet/data/$ZERONET_BLOG_ADDRESS/data - sed -i "s/MyZeroBlog/$ZERONET_DEFAULT_BLOG_TITLE/g" $MESH_INSTALL_DIR/zeronet/data/$ZERONET_BLOG_ADDRESS/data/data.json - sed -i "s/My ZeroBlog./$ZERONET_DEFAULT_BLOG_TAGLINE/g" $MESH_INSTALL_DIR/zeronet/data/$ZERONET_BLOG_ADDRESS/data/data.json - sed -i "s/ZeroBlog Demo/$ZERONET_DEFAULT_BLOG_TITLE/g" $MESH_INSTALL_DIR/zeronet/data/$ZERONET_BLOG_ADDRESS/index.html - sed -i "s|

.*|

$ZERONET_DEFAULT_BLOG_TAGLINE

|g" $MESH_INSTALL_DIR/zeronet/data/$ZERONET_BLOG_ADDRESS/index.html - sed -i "s/Blogging platform Demo/Blogging platform/g" $MESH_INSTALL_DIR/zeronet/data/$ZERONET_BLOG_ADDRESS/content.json - python zeronet.py siteSign $ZERONET_BLOG_ADDRESS $ZERONET_BLOG_PRIVATE_KEY - - # Add an avahi service - echo '' > /tmp/zeronet-blog.service - echo '' >> /tmp/zeronet-blog.service - echo '' >> /tmp/zeronet-blog.service - echo ' %h ZeroNet Blog' >> /tmp/zeronet-blog.service - echo ' ' >> /tmp/zeronet-blog.service - echo ' _zeronet._udp' >> /tmp/zeronet-blog.service - echo " $ZERONET_PORT" >> /tmp/zeronet-blog.service - echo " $ZERONET_URL/$ZERONET_BLOG_ADDRESS" >> /tmp/zeronet-blog.service - echo ' ' >> /tmp/zeronet-blog.service - echo '' >> /tmp/zeronet-blog.service - cp /tmp/zeronet-blog.service /etc/avahi/services/zeronet-blog.service - - if [ ! -d /home/$MY_USERNAME/.config/zeronet ]; then - mkdir -p /home/$MY_USERNAME/.config/zeronet - chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.config - fi - echo "$ZERONET_URL/$ZERONET_BLOG_ADDRESS" > /home/$MY_USERNAME/.config/zeronet/myblog - - if ! grep -q "ZeroNet Blog address" /home/$MY_USERNAME/README; then - echo '' >> /home/$MY_USERNAME/README - echo "ZeroNet Blog address: $ZERONET_BLOG_ADDRESS" >> /home/$MY_USERNAME/README - echo "ZeroNet Blog private key: $ZERONET_BLOG_PRIVATE_KEY" >> /home/$MY_USERNAME/README - fi - - echo 'install_zeronet_blog' >> $COMPLETION_FILE -} - -function install_zeronet_mail { - if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then - return - fi - - set_repo_commit $MESH_INSTALL_DIR/zeronet/ZeroMail "ZeroNet Mail commit" "$ZERONET_MAIL_COMMIT" $ZERONET_MAIL_REPO - - if grep -Fxq "install_zeronet_mail" $COMPLETION_FILE; then - return - fi - - if [ ! -f /home/$MY_USERNAME/README ]; then - touch /home/$MY_USERNAME/README - fi - - if grep -q "ZeroNet Mail address" /home/$MY_USERNAME/README; then - return - fi - - if [ ! -d /etc/avahi ]; then - echo 'Avahi is not installed' - exit 736 - fi - - ZERONET_DEFAULT_MAIL_TITLE="${MY_USERNAME}'s Mail" - - cd $MESH_INSTALL_DIR/zeronet - python zeronet.py --batch siteCreate 2> $MESH_INSTALL_DIR/zeronet/mail.txt - if [ ! -f $MESH_INSTALL_DIR/zeronet/mail.txt ]; then - echo $'Unable to create mail' - exit 479 - fi - mail_address=$(cat mail.txt | grep "Site address" | awk -F ':' '{print $2}') - mail_private_key=$(cat mail.txt | grep "Site private key" | awk -F ':' '{print $2}') - ZERONET_MAIL_ADDRESS=${mail_address//[[:blank:]]/} - ZERONET_MAIL_PRIVATE_KEY=${mail_private_key//[[:blank:]]/} - - if [ ${#ZERONET_MAIL_ADDRESS} -lt 20 ]; then - echo $"Address: $ZERONET_MAIL_ADDRESS" - echo $"Public key: $ZERONET_MAIL_PRIVATE_KEY" - echo $'Unable to create zeronet mail address' - exit 7358 - fi - - if [ ${#ZERONET_MAIL_PRIVATE_KEY} -lt 20 ]; then - echo $"Address: $ZERONET_MAIL_ADDRESS" - echo $"Public key: $ZERONET_MAIL_PRIVATE_KEY" - echo $'Unable to create zeronet mail private key' - exit 1639 - fi - - if [ ! -d "$MESH_INSTALL_DIR/zeronet/data/$ZERONET_MAIL_ADDRESS" ]; then - echo $"Unable to find site directory: $MESH_INSTALL_DIR/zeronet/data/$ZERONET_MAIL_ADDRESS" - exit 7638 - fi - - git_clone $ZERONET_MAIL_REPO ZeroMail - if [ ! -d $MESH_INSTALL_DIR/zeronet/ZeroMail ]; then - echo $'ZeroMail repo could not be cloned' - exit 6739 - fi - cd $MESH_INSTALL_DIR/zeronet/ZeroMail - git checkout $ZERONET_MAIL_COMMIT -b $ZERONET_MAIL_COMMIT - if ! grep -q "ZeroNet Mail commit" $COMPLETION_FILE; then - echo "ZeroNet Mail commit:$ZERONET_MAIL_COMMIT" >> $COMPLETION_FILE - else - sed -i "s/ZeroNet Mail commit.*/ZeroNet Mail commit:$ZERONET_MAIL_COMMIT/g" $COMPLETION_FILE - fi - - echo $"ZeroNet Mail address: $ZERONET_MAIL_ADDRESS" - echo $"ZeroNet Mail private key: $ZERONET_MAIL_PRIVATE_KEY" - cp -r $MESH_INSTALL_DIR/zeronet/ZeroMail/* $MESH_INSTALL_DIR/zeronet/data/$ZERONET_MAIL_ADDRESS - - if [ ! -d $MESH_INSTALL_DIR/zeronet/data/$ZERONET_MAIL_ADDRESS/data ]; then - mkdir $MESH_INSTALL_DIR/zeronet/data/$ZERONET_MAIL_ADDRESS/data - fi - cp $MESH_INSTALL_DIR/zeronet/data/$ZERONET_MAIL_ADDRESS/data-default/data.json $MESH_INSTALL_DIR/zeronet/data/$ZERONET_MAIL_ADDRESS/data - sed -i "s/MyZeroMail/$ZERONET_DEFAULT_MAIL_TITLE/g" $MESH_INSTALL_DIR/zeronet/data/$ZERONET_MAIL_ADDRESS/data/data.json - sed -i "s/My ZeroMail./$ZERONET_DEFAULT_MAIL_TAGLINE/g" $MESH_INSTALL_DIR/zeronet/data/$ZERONET_MAIL_ADDRESS/data/data.json - sed -i "s/ZeroMail Demo/$ZERONET_DEFAULT_MAIL_TITLE/g" $MESH_INSTALL_DIR/zeronet/data/$ZERONET_MAIL_ADDRESS/index.html - sed -i "s|

.*|

$ZERONET_DEFAULT_MAIL_TAGLINE

|g" $MESH_INSTALL_DIR/zeronet/data/$ZERONET_MAIL_ADDRESS/index.html - sed -i "s/Mailging platform Demo/Mailging platform/g" $MESH_INSTALL_DIR/zeronet/data/$ZERONET_MAIL_ADDRESS/content.json - python zeronet.py siteSign $ZERONET_MAIL_ADDRESS $ZERONET_MAIL_PRIVATE_KEY - - # Add an avahi service - echo '' > /tmp/zeronet-mail.service - echo '' >> /tmp/zeronet-mail.service - echo '' >> /tmp/zeronet-mail.service - echo ' %h ZeroNet Mail' >> /tmp/zeronet-mail.service - echo ' ' >> /tmp/zeronet-mail.service - echo ' _zeronet._udp' >> /tmp/zeronet-mail.service - echo " $ZERONET_PORT" >> /tmp/zeronet-mail.service - echo " $ZERONET_URL/$ZERONET_MAIL_ADDRESS" >> /tmp/zeronet-mail.service - echo ' ' >> /tmp/zeronet-mail.service - echo '' >> /tmp/zeronet-mail.service - cp /tmp/zeronet-mail.service /etc/avahi/services/zeronet-mail.service - - if [ ! -d /home/$MY_USERNAME/.config/zeronet ]; then - mkdir -p /home/$MY_USERNAME/.config/zeronet - chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.config - fi - echo "$ZERONET_URL/$ZERONET_MAIL_ADDRESS" > /home/$MY_USERNAME/.config/zeronet/mymail - - if ! grep -q $"ZeroNet Mail address" /home/$MY_USERNAME/README; then - echo '' >> /home/$MY_USERNAME/README - echo $"ZeroNet Mail address: $ZERONET_MAIL_ADDRESS" >> /home/$MY_USERNAME/README - echo $"ZeroNet Mail private key: $ZERONET_MAIL_PRIVATE_KEY" >> /home/$MY_USERNAME/README - fi - - echo 'install_zeronet_mail' >> $COMPLETION_FILE -} - -function install_zeronet_forum { - if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then - return - fi - - # update to the next commit - set_repo_commit $MESH_INSTALL_DIR/zeronet/ZeroTalk "ZeroNet Forum commit" "$ZERONET_FORUM_COMMIT" $ZERONET_FORUM_REPO - - if grep -Fxq "install_zeronet_forum" $COMPLETION_FILE; then - return - fi - - if [ ! -f /home/$MY_USERNAME/README ]; then - touch /home/$MY_USERNAME/README - fi - - if grep -q "ZeroNet Forum address" /home/$MY_USERNAME/README; then - return - fi - - if [ ! -d /etc/avahi ]; then - echo $'Avahi is not installed' - exit 736 - fi - - ZERONET_DEFAULT_FORUM_TITLE=$"${MY_USERNAME}'s Forum" - - cd $MESH_INSTALL_DIR/zeronet - python zeronet.py --batch siteCreate 2> $MESH_INSTALL_DIR/zeronet/forum.txt - if [ ! -f $MESH_INSTALL_DIR/zeronet/forum.txt ]; then - echo $'Unable to create forum' - exit 479 - fi - forum_address=$(cat forum.txt | grep "Site address" | awk -F ':' '{print $2}') - forum_private_key=$(cat forum.txt | grep "Site private key" | awk -F ':' '{print $2}') - ZERONET_FORUM_ADDRESS=${forum_address//[[:blank:]]/} - ZERONET_FORUM_PRIVATE_KEY=${forum_private_key//[[:blank:]]/} - - if [ ${#ZERONET_FORUM_ADDRESS} -lt 20 ]; then - echo $"Address: $ZERONET_FORUM_ADDRESS" - echo $"Public key: $ZERONET_FORUM_PRIVATE_KEY" - echo $'Unable to create zeronet forum address' - exit 76352 - fi - - if [ ${#ZERONET_FORUM_PRIVATE_KEY} -lt 20 ]; then - echo $"Address: $ZERONET_FORUM_ADDRESS" - echo $"Public key: $ZERONET_FORUM_PRIVATE_KEY" - echo $'Unable to create zeronet forum private key' - exit 87356 - fi - - if [ ! -d "$MESH_INSTALL_DIR/zeronet/data/$ZERONET_FORUM_ADDRESS" ]; then - echo $"Unable to find site directory: $MESH_INSTALL_DIR/zeronet/data/$ZERONET_FORUM_ADDRESS" - exit 7638 - fi - - git_clone $ZERONET_FORUM_REPO ZeroTalk - if [ ! -d $MESH_INSTALL_DIR/zeronet/ZeroTalk ]; then - echo $'ZeroTalk repo could not be cloned' - exit 6739 - fi - git checkout $ZERONET_FORUM_COMMIT -b $ZERONET_FORUM_COMMIT - if ! grep -q "ZeroNet Forum commit" $COMPLETION_FILE; then - echo "ZeroNet Forum commit:$ZERONET_FORUM_COMMIT" >> $COMPLETION_FILE - else - sed -i "s/ZeroNet Forum commit.*/ZeroNet Forum commit:$ZERONET_FORUM_COMMIT/g" $COMPLETION_FILE - fi - - echo $"Forum address: $ZERONET_FORUM_ADDRESS" - echo $"Forum private key: $ZERONET_FORUM_PRIVATE_KEY" - cp -r $MESH_INSTALL_DIR/zeronet/ZeroTalk/* $MESH_INSTALL_DIR/zeronet/data/$ZERONET_FORUM_ADDRESS - sed -i "s/ZeroBoard/$ZERONET_DEFAULT_FORUM_TITLE/g" $MESH_INSTALL_DIR/zeronet/data/$ZERONET_FORUM_ADDRESS/index.html - sed -i "s/ZeroTalk/$ZERONET_DEFAULT_FORUM_TITLE/g" $MESH_INSTALL_DIR/zeronet/data/$ZERONET_FORUM_ADDRESS/index.html - sed -i "s|Demo for dynamic, decentralized content publishing.|$ZERONET_DEFAULT_FORUM_TAGLINE|g" $MESH_INSTALL_DIR/zeronet/data/$ZERONET_FORUM_ADDRESS/index.html - sed -i 's/Messaging Board Demo/Messaging Board/g' $MESH_INSTALL_DIR/zeronet/data/$ZERONET_FORUM_ADDRESS/content.json - sed -i "s/ZeroBoard/$ZERONET_DEFAULT_FORUM_TITLE/g" $MESH_INSTALL_DIR/zeronet/data/$ZERONET_FORUM_ADDRESS/content.json - python zeronet.py siteSign $ZERONET_FORUM_ADDRESS $ZERONET_FORUM_PRIVATE_KEY --inner_path data/users/content.json - - # Add an avahi service - echo '' > /tmp/zeronet-forum.service - echo '' >> /tmp/zeronet-forum.service - echo '' >> /tmp/zeronet-forum.service - echo ' %h ZeroNet Forum' >> /tmp/zeronet-forum.service - echo ' ' >> /tmp/zeronet-forum.service - echo ' _zeronet._udp' >> /tmp/zeronet-forum.service - echo " $ZERONET_PORT" >> /tmp/zeronet-forum.service - echo " $ZERONET_URL/$ZERONET_FORUM_ADDRESS" >> /tmp/zeronet-forum.service - echo ' ' >> /tmp/zeronet-forum.service - echo '' >> /tmp/zeronet-forum.service - sudo cp /tmp/zeronet-forum.service /etc/avahi/services/zeronet-forum.service - - if [ ! -d /home/$MY_USERNAME/.config/zeronet ]; then - mkdir -p /home/$MY_USERNAME/.config/zeronet - chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.config - fi - echo "$ZERONET_URL/$ZERONET_FORUM_ADDRESS" > /home/$MY_USERNAME/.config/zeronet/myforum - - if ! grep -q $"ZeroNet Forum address" /home/$MY_USERNAME/README; then - echo '' >> /home/$MY_USERNAME/README - echo $"ZeroNet Forum address: $ZERONET_FORUM_ADDRESS" >> /home/$MY_USERNAME/README - echo $"ZeroNet Forum private key: $ZERONET_FORUM_PRIVATE_KEY" >> /home/$MY_USERNAME/README - fi - - echo 'install_zeronet_forum' >> $COMPLETION_FILE -} - -function install_zeronet { - if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then - return - fi - - # update to the next commit - set_repo_commit $MESH_INSTALL_DIR/zeronet "ZeroNet commit" "$ZERONET_COMMIT" $ZERONET_REPO - - if grep -Fxq "install_zeronet" $COMPLETION_FILE; then - return - fi - - ${PROJECT_NAME}-mesh-install -f zeronet - systemctl daemon-reload - systemctl start tracker.service - systemctl start zeronet.service - - echo 'mesh_zeronet' >> $COMPLETION_FILE -} - -function install_vpn_tunnel { - if ! grep -q "repo.universe-factory.net" /etc/apt/sources.list; then - echo 'deb http://repo.universe-factory.net/debian/ sid main' >> /etc/apt/sources.list - gpg --keyserver pgpkeys.mit.edu --recv-key 16EF3F64CB201D9C - if [ ! "$?" = "0" ]; then - exit 76272 - fi - gpg -a --export 16EF3F64CB201D9C | sudo apt-key add - - apt-get update - apt-get -y install fastd - if [ ! "$?" = "0" ]; then - exit 52026 - fi - fi -} - -# ath9k_htc driver -function install_atheros_wifi { - if grep -Fxq "install_atheros_wifi" $COMPLETION_FILE; then - return - fi - if [ $INSTALLING_ON_BBB != "yes" ]; then - return - fi - if [[ $ENABLE_BABEL != "yes" && $ENABLE_BATMAN != "yes" && $ENABLE_CJDNS != "yes" ]]; then - return - fi - if [ -d $INSTALL_DIR/open-ath9k-htc-firmware ]; then - return - fi - # have drivers already been installed ? - if [ -f /lib/firmware/htc_9271.fw ]; then - return - fi - apt-get -y install build-essential cmake git m4 texinfo - if [ ! -d $INSTALL_DIR ]; then - mkdir -p $INSTALL_DIR - fi - cd $INSTALL_DIR - if [ ! -d $INSTALL_DIR/open-ath9k-htc-firmware ]; then - git_clone $ATHEROS_WIFI_REPO $INSTALL_DIR/open-ath9k-htc-firmware - if [ ! "$?" = "0" ]; then - rm -rf $INSTALL_DIR/open-ath9k-htc-firmware - exit 74283 - fi - fi - cd $INSTALL_DIR/open-ath9k-htc-firmware - git checkout 1.4.0 - make toolchain - if [ ! "$?" = "0" ]; then - rm -rf $INSTALL_DIR/open-ath9k-htc-firmware - exit 24820 - fi - make firmware - if [ ! "$?" = "0" ]; then - rm -rf $INSTALL_DIR/open-ath9k-htc-firmware - exit 63412 - fi - cp target_firmware/*.fw /lib/firmware/ - if [ ! "$?" = "0" ]; then - exit 74681 - fi - echo 'install_atheros_wifi' >> $COMPLETION_FILE -} - -function configure_avahi { - if grep -Fxq "configure_avahi" $COMPLETION_FILE; then - return - fi - # only enable avahi if we're doing mesh networking - if [[ $ENABLE_BABEL != "yes" && $ENABLE_BATMAN != "yes" && $ENABLE_CJDNS != "yes" ]]; then - return - fi - - ${PROJECT_NAME}-mesh-install -f avahi - if [ ! "$?" = "0" ]; then - echo $'Failed to install avahi' - exit 68442 - fi - - if [ $DEFAULT_DOMAIN_NAME ]; then - sed -i "s|#host-name=.*|host-name=$DEFAULT_DOMAIN_NAME|g" /etc/avahi/avahi-daemon.conf - sed -i "s|host-name=.*|host-name=$DEFAULT_DOMAIN_NAME|g" /etc/avahi/avahi-daemon.conf - else - decarray=( 1 2 3 4 5 6 7 8 9 0 ) - PEER_ID=${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]} - sed -i "s|#host-name=.*|host-name=P$PEER_ID|g" /etc/avahi/avahi-daemon.conf - sed -i "s|host-name=.*|host-name=P$PEER_ID|g" /etc/avahi/avahi-daemon.conf - fi - - echo 'configure_avahi' >> $COMPLETION_FILE -} - -function mesh_babel { - if grep -Fxq "mesh_babel" $COMPLETION_FILE; then - return - fi - if [[ $ENABLE_BABEL != "yes" ]]; then - return - fi - - ${PROJECT_NAME}-mesh-install -f babel - if [ ! "$?" = "0" ]; then - echo $'Failed to install babel' - exit 67242 - fi - - echo 'mesh_babel' >> $COMPLETION_FILE -} - -function mesh_batman { - if grep -Fxq "mesh_batman" $COMPLETION_FILE; then - return - fi - if [[ $ENABLE_BATMAN != "yes" ]]; then - return - fi - - ${PROJECT_NAME}-mesh-install -f batman - if [ ! "$?" = "0" ]; then - echo $'Failed to install batman' - exit 72524 - fi - - if ! grep -q "Mesh Networking (B.A.T.M.A.N)" /home/$MY_USERNAME/README; then - echo '' >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - echo 'Mesh Networking (B.A.T.M.A.N)' >> /home/$MY_USERNAME/README - echo '=============================' >> /home/$MY_USERNAME/README - echo "Mesh ESSID: $WIFI_SSID" >> /home/$MY_USERNAME/README - echo "Mesh cell ID: $BATMAN_CELLID" >> /home/$MY_USERNAME/README - echo "Mesh wifi channel: $WIFI_CHANNEL" >> /home/$MY_USERNAME/README - chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README - chmod 600 /home/$MY_USERNAME/README - fi - - echo 'mesh_batman' >> $COMPLETION_FILE -} - -function remove_instructions_from_motd { - sed -i '/## /d' /etc/motd -} - -function check_hwrng { - if [[ $HWRNG_TYPE == "beaglebone" ]]; then - # If hardware random number generation was enabled then make sure that the device exists. - # if /dev/hwrng is not found then any subsequent cryptographic key generation would - # suffer from low entropy and might be insecure - if [ ! -e /dev/hwrng ]; then - ls /dev/hw* - echo $'The hardware random number generator is enabled but could not be detected on' - echo $'/dev/hwrng. There may be a problem with the installation or the Beaglebone hardware.' - exit 75 - fi - fi - - # If a OneRNG device was installed then verify its firmware - #check_onerng_verification -} - -function create_freedns_updater { - if [[ $ONION_ONLY != "no" ]]; then - return - fi - - # currently inadyn doesn't work as expected with freeDNS, so this is a workaround - if grep -Fxq "create_freedns_updater" $COMPLETION_FILE; then - return - fi - if [[ $DDNS_PROVIDER != "default@freedns.afraid.org" ]]; then - return - fi - if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - - FREEDNS_WGET='wget -q --read-timeout=0.0 --waitretry=5 --tries=4 https://freedns.afraid.org/dynamic/update.php?' - - echo '#!/bin/bash' > /usr/bin/dynamicdns - echo 'cd /tmp' >> /usr/bin/dynamicdns - if [ $DEFAULT_DOMAIN_CODE ]; then - echo "# $DEFAULT_DOMAIN_NAME" >> /usr/bin/dynamicdns - echo "$FREEDNS_WGET$DEFAULT_DOMAIN_CODE=" >> /usr/bin/dynamicdns - fi - if [ $WIKI_CODE ]; then - if [[ $WIKI_CODE != "$DEFAULT_DOMAIN_CODE" ]]; then - echo "# $WIKI_DOMAIN_NAME" >> /usr/bin/dynamicdns - echo "$FREEDNS_WGET$WIKI_CODE=" >> /usr/bin/dynamicdns - fi - fi - if [ $FULLBLOG_CODE ]; then - if [[ $FULLBLOG_CODE != "$DEFAULT_DOMAIN_CODE" ]]; then - echo "# $FULLBLOG_DOMAIN_NAME" >> /usr/bin/dynamicdns - echo "$FREEDNS_WGET$FULLBLOG_CODE=" >> /usr/bin/dynamicdns - fi - fi - if [ $HUBZILLA_CODE ]; then - if [[ $HUBZILLA_CODE != "$DEFAULT_DOMAIN_CODE" ]]; then - echo "# $HUBZILLA_DOMAIN_NAME" >> /usr/bin/dynamicdns - echo "$FREEDNS_WGET$HUBZILLA_CODE=" >> /usr/bin/dynamicdns - fi - fi - if [ $MICROBLOG_CODE ]; then - if [[ $MICROBLOG_CODE != "$DEFAULT_DOMAIN_CODE" ]]; then - echo "# $MICROBLOG_DOMAIN_NAME" >> /usr/bin/dynamicdns - echo "$FREEDNS_WGET$MICROBLOG_CODE=" >> /usr/bin/dynamicdns - fi - fi - if [ $GIT_CODE ]; then - if [[ $GIT_CODE != "$DEFAULT_DOMAIN_CODE" ]]; then - echo "# $GIT_DOMAIN_NAME" >> /usr/bin/dynamicdns - echo "$FREEDNS_WGET$GIT_CODE=" >> /usr/bin/dynamicdns - fi - fi - if [ $MEDIAGOBLIN_CODE ]; then - if [[ $MEDIAGOBLIN_CODE != "$DEFAULT_DOMAIN_CODE" ]]; then - echo "# $MEDIAGOBLIN_DOMAIN_NAME" >> /usr/bin/dynamicdns - echo "$FREEDNS_WGET$MEDIAGOBLIN_CODE=" >> /usr/bin/dynamicdns - fi - fi - echo 'exit 0' >> /usr/bin/dynamicdns - chmod 600 /usr/bin/dynamicdns - chmod +x /usr/bin/dynamicdns - - if ! grep -q "/usr/bin/dynamicdns" /etc/crontab; then - echo '*/3 * * * * root /usr/bin/dynamicdns' >> /etc/crontab - systemctl restart cron - fi - - echo 'create_freedns_updater' >> $COMPLETION_FILE -} - -function backup_to_friends_servers { - # update crontab - echo '#!/bin/bash' > /etc/cron.daily/backuptofriends - echo "if [ -f /usr/local/bin/${PROJECT_NAME}-backup-remote ]; then" >> /etc/cron.daily/backuptofriends - echo " /usr/local/bin/${PROJECT_NAME}-backup-remote" >> /etc/cron.daily/backuptofriends - echo 'else' >> /etc/cron.daily/backuptofriends - echo " /usr/bin/${PROJECT_NAME}-backup-remote" >> /etc/cron.daily/backuptofriends - echo 'fi' >> /etc/cron.daily/backuptofriends - chmod +x /etc/cron.daily/backuptofriends -} - -function remove_default_user { - # make sure you don't use the default user account - if [[ $MY_USERNAME == "debian" ]]; then - echo 'Do not use the default debian user account. Create a different user with: adduser [username]' - exit 68 - fi - # remove the default debian user to prevent it from becoming an attack vector - if [ -d /home/debian ]; then - userdel -r debian - echo 'Default debian user account removed' - fi -} - -function enforce_good_passwords { - # because humans are generally bad at choosing passwords - if grep -Fxq "enforce_good_passwords" $COMPLETION_FILE; then - return - fi - apt-get -y install libpam-cracklib - - sed -i 's/password.*requisite.*pam_cracklib.so.*/password required pam_cracklib.so retry=2 dcredit=-4 ucredit=-1 ocredit=-1 lcredit=0 minlen=10 reject_username/g' /etc/pam.d/common-password - echo 'enforce_good_passwords' >> $COMPLETION_FILE -} - -function change_login_message { - if grep -Fxq "change_login_message" $COMPLETION_FILE; then - return - fi - - # remove automatic motd creator if it exists - if [ -f /etc/init.d/motd ]; then - rm -f /etc/init.d/motd - fi - - echo '' > /etc/motd - echo ".---. . . " >> /etc/motd - echo "| | | " >> /etc/motd - echo "|--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. " >> /etc/motd - echo "| | (.-' (.-' ( | ( )| | | | )( )| | (.-' " >> /etc/motd - echo "' ' --' --' -' - -' ' ' -' -' -' ' - --'" >> /etc/motd - - if [[ $SYSTEM_TYPE == "$VARIANT_MAILBOX" ]]; then - echo $' M A I L B O X E D I T I O N' >> /etc/motd - fi - - if [[ $SYSTEM_TYPE == "$VARIANT_SOCIAL" ]]; then - echo $' S O C I A L E D I T I O N' >> /etc/motd - fi - - if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" ]]; then - echo $' C H A T E D I T I O N' >> /etc/motd - fi - - if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" ]]; then - echo $' C L O U D E D I T I O N' >> /etc/motd - fi - - if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" ]]; then - echo $' W R I T E R E D I T I O N ' >> /etc/motd - fi - - if [[ $SYSTEM_TYPE == "$VARIANT_MEDIA" ]]; then - echo $' M E D I A E D I T I O N' >> /etc/motd - fi - - if [[ $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then - echo $' D E V E L O P E R E D I T I O N' >> /etc/motd - fi - - echo '' >> /etc/motd - if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then - echo $' Freedom in the Cloud' >> /etc/motd - else - echo $' Freedom in the Mesh' >> /etc/motd - fi - echo '' >> /etc/motd - echo 'change_login_message' >> $COMPLETION_FILE -} - -function search_for_attached_usb_drive { - # If a USB drive is attached then search for email, - # gpg, ssh keys and emacs configuration - if grep -Fxq "search_for_attached_usb_drive" $COMPLETION_FILE; then - return - fi - if [ -b $USB_DRIVE ]; then - if [ ! -d $USB_MOUNT ]; then - echo $'Mounting USB drive' - mkdir $USB_MOUNT - mount $USB_DRIVE $USB_MOUNT - fi - if ! [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" ]]; then - if [ -d $USB_MOUNT/Maildir ]; then - echo $'Maildir found on USB drive' - IMPORT_MAILDIR=$USB_MOUNT/Maildir - fi - if [ -d $USB_MOUNT/.gnupg ]; then - echo $'Importing GPG keyring' - cp -r $USB_MOUNT/.gnupg /home/$MY_USERNAME - chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.gnupg - GPG_KEYS_IMPORTED="yes" - if [ ! -f /home/$MY_USERNAME/.gnupg/secring.gpg ]; then - echo $'GPG files did not copy' - exit 73529 - fi - fi - - if [ -f $USB_MOUNT/.procmailrc ]; then - echo $'Importing procmail settings' - cp $USB_MOUNT/.procmailrc /home/$MY_USERNAME - chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.procmailrc - fi - - if [ -f $USB_MOUNT/private_key.gpg ]; then - echo $'GPG private key found on USB drive' - MY_GPG_PRIVATE_KEY=$USB_MOUNT/private_key.gpg - fi - if [ -f $USB_MOUNT/public_key.gpg ]; then - echo $'GPG public key found on USB drive' - MY_GPG_PUBLIC_KEY=$USB_MOUNT/public_key.gpg - fi - fi - if [ -d $USB_MOUNT/prosody ]; then - if [ ! -d $XMPP_DIRECTORY ]; then - mkdir $XMPP_DIRECTORY - fi - cp -r $USB_MOUNT/prosody/* $XMPP_DIRECTORY - chown -R prosody:prosody $XMPP_DIRECTORY - fi - if [ -d $USB_MOUNT/.ssh ]; then - echo $'Importing ssh keys' - cp -r $USB_MOUNT/.ssh /home/$MY_USERNAME - chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.ssh - # for security delete the ssh keys from the usb drive - if [ ! -f /home/$MY_USERNAME/.ssh/id_rsa ]; then - echo $'ssh files did not copy' - exit 8 - fi - fi - if [ -f $USB_MOUNT/.emacs ]; then - echo $'Importing .emacs file' - cp -f $USB_MOUNT/.emacs /home/$MY_USERNAME/.emacs - chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.emacs - fi - if [ -d $USB_MOUNT/.emacs.d ]; then - echo $'Importing .emacs.d directory' - cp -r $USB_MOUNT/.emacs.d /home/$MY_USERNAME - chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.emacs.d - fi - if [ -d $USB_MOUNT/ssl ]; then - echo $'Importing SSL certificates' - cp -r $USB_MOUNT/ssl/* /etc/ssl - chmod 640 /etc/ssl/certs/* - chmod 400 /etc/ssl/private/* - # change ownership of some certificates - if [ -d /etc/prosody ]; then - chown prosody:prosody /etc/ssl/private/xmpp.* - chown prosody:prosody /etc/ssl/certs/xmpp.* - fi - if [ -d /etc/dovecot ]; then - chown root:dovecot /etc/ssl/certs/dovecot.* - chown root:dovecot /etc/ssl/private/dovecot.* - fi - if [ -f /etc/ssl/private/exim.key ]; then - cp /etc/ssl/private/exim.key /etc/exim4 - cp /etc/ssl/certs/exim.crt /etc/exim4 - cp /etc/ssl/certs/exim.dhparam /etc/exim4 - chown root:Debian-exim /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam - chmod 640 /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam - fi - fi - if [ -d $USB_MOUNT/personal ]; then - echo $'Importing personal directory' - cp -r $USB_MOUNT/personal /home/$MY_USERNAME - chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/personal - fi - else - if [ -d $USB_MOUNT ]; then - umount $USB_MOUNT - rm -rf $USB_MOUNT - fi - echo $'No USB drive attached' - fi - echo 'search_for_attached_usb_drive' >> $COMPLETION_FILE -} - -function create_repo_sources { - if grep -Fxq "create_repo_sources" $COMPLETION_FILE; then - return - fi - rm -rf /var/lib/apt/lists/* - apt-get clean - - echo "deb http://${DEBIAN_REPO}/debian/ ${DEBIAN_VERSION} main" > /etc/apt/sources.list - echo "deb-src http://${DEBIAN_REPO}/debian/ ${DEBIAN_VERSION} main" >> /etc/apt/sources.list - echo '' >> /etc/apt/sources.list - echo "deb http://security.debian.org/ ${DEBIAN_VERSION}/updates main" >> /etc/apt/sources.list - echo "deb-src http://security.debian.org/ ${DEBIAN_VERSION}/updates main" >> /etc/apt/sources.list - echo '' >> /etc/apt/sources.list - echo "deb http://${DEBIAN_REPO}/debian/ ${DEBIAN_VERSION}-updates main" >> /etc/apt/sources.list - echo "deb-src http://${DEBIAN_REPO}/debian/ ${DEBIAN_VERSION}-updates main" >> /etc/apt/sources.list - echo '' >> /etc/apt/sources.list - echo "deb http://${DEBIAN_REPO}/debian/ ${DEBIAN_VERSION}-backports main" >> /etc/apt/sources.list - echo "deb-src http://${DEBIAN_REPO}/debian/ ${DEBIAN_VERSION}-backports main" >> /etc/apt/sources.list - - apt-get update - apt-get -y install apt-transport-https - - echo 'create_repo_sources' >> $COMPLETION_FILE -} - -function initial_setup { - if grep -Fxq "initial_setup" $COMPLETION_FILE; then - return - fi - - apt-get -y remove --purge apache* - apt-get -y dist-upgrade - apt-get -y install ca-certificates emacs24 cpulimit - apt-get -y install cryptsetup libgfshare-bin obnam sshpass wget - apt-get -y install avahi-daemon avahi-utils avahi-discover - apt-get -y install connect-proxy - - if [ ! -d $INSTALL_DIR ]; then - mkdir -p $INSTALL_DIR - fi - - echo 'initial_setup' >> $COMPLETION_FILE -} - -function allow_ssh_to_onion_address { - if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - if [ ! -d /home/$MY_USERNAME/.ssh ]; then - mkdir /home/$MY_USERNAME/.ssh - fi - if [ ! -d /etc/tor ]; then - echo $'Tor not found when updating ssh' - exit 528257 - fi - if ! grep -q "onion" /home/$MY_USERNAME/.ssh/config; then - echo 'Host *.onion' >> /home/$MY_USERNAME/.ssh/config - echo 'ProxyCommand connect -R remote -5 -S 127.0.0.1:9050 %h %p' >> /home/$MY_USERNAME/.ssh/config - fi -} - -function install_tor { - if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - if grep -Fxq "install_tor" $COMPLETION_FILE; then - return - fi - apt-get -y install tor - if [ ! -f /etc/tor/torrc ]; then - echo 'Tor failed to install' - exit 38259 - fi - echo 'install_tor' >> $COMPLETION_FILE -} - -function resolve_dns_via_tor { - if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - if grep -Fxq "resolve_dns_via_tor" $COMPLETION_FILE; then - return - fi - if [ ! -f /etc/tor/torrc ]; then - echo $'tor was not installed' - exit 52952 - fi - - # resolve DNS via tor - if ! grep 'DNSPort 53' /etc/tor/torrc; then - echo 'DNSPort 53' >> /etc/tor/torrc - echo 'AutomapHostsOnResolve 1' >> /etc/tor/torrc - echo 'AutomapHostsSuffixes .exit,.onion' >> /etc/tor/torrc - systemctl restart tor - fi - - # don't change resolv.conf - sed -i 's|, domain-name-servers||g' /etc/dhcp/dhclient.conf - - # point resolv.conf to tor - echo 'nameserver 127.0.0.1:53' > /etc/resolv.conf - - # prevent resolv.conf from changing - chattr +i /etc/resolv.conf - - echo 'resolve_dns_via_tor' >> $COMPLETION_FILE -} - -function enable_ssh_via_onion { - if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - if grep -Fxq "enable_ssh_via_onion" $COMPLETION_FILE; then - return - fi - apt-get -y install tor connect-proxy - if ! grep -q 'Host *.onion' /home/$MY_USERNAME/.ssh/config; then - if [ ! -d /home/$MY_USERNAME/.ssh ]; then - mkdir /home/$MY_USERNAME/.ssh - fi - echo 'Host *.onion' >> /home/$MY_USERNAME/.ssh/config - echo 'ProxyCommand connect -R remote -5 -S 127.0.0.1:9050 %h %p' >> /home/$MY_USERNAME/.ssh/config - chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.ssh - chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.ssh/config - fi - if ! grep -q 'Host *.onion' /root/.ssh/config; then - if [ ! -d /root/.ssh ]; then - mkdir /root/.ssh - fi - echo 'Host *.onion' >> /root/.ssh/config - echo 'ProxyCommand connect -R remote -5 -S 127.0.0.1:9050 %h %p' >> /root/.ssh/config - fi - echo 'enable_ssh_via_onion' >> $COMPLETION_FILE -} - -function install_editor { - if grep -Fxq "install_editor" $COMPLETION_FILE; then - return - fi - update-alternatives --set editor /usr/bin/emacs24 - - # A minimal emacs configuration - #echo -n "(add-to-list 'load-path " > /home/$MY_USERNAME/.emacs - #echo '"~/.emacs.d/")' >> /home/$MY_USERNAME/.emacs - #echo '' >> /home/$MY_USERNAME/.emacs - echo $';; ===== Remove trailing whitepace ======================================' >> /home/$MY_USERNAME/.emacs - echo '' >> /home/$MY_USERNAME/.emacs - echo ";;(add-hook 'before-save-hook 'delete-trailing-whitespace)" >> /home/$MY_USERNAME/.emacs - echo '' >> /home/$MY_USERNAME/.emacs - echo ';; Goto a line number with CTRL-l' >> /home/$MY_USERNAME/.emacs - echo -n '(global-set-key "\C-l" ' >> /home/$MY_USERNAME/.emacs - echo "'goto-line)" >> /home/$MY_USERNAME/.emacs - echo '' >> /home/$MY_USERNAME/.emacs - echo $';; ===== Show line numbers ==============================================' >> /home/$MY_USERNAME/.emacs - echo '' >> /home/$MY_USERNAME/.emacs - echo "(add-hook 'find-file-hook (lambda () (linum-mode 1)))" >> /home/$MY_USERNAME/.emacs - echo '' >> /home/$MY_USERNAME/.emacs - echo $';; ===== Enable line wrapping in org-mode ===============================' >> /home/$MY_USERNAME/.emacs - echo '' >> /home/$MY_USERNAME/.emacs - echo " (add-hook 'org-mode-hook" >> /home/$MY_USERNAME/.emacs - echo " '(lambda ()" >> /home/$MY_USERNAME/.emacs - echo " (visual-line-mode 1)))" >> /home/$MY_USERNAME/.emacs - echo '' >> /home/$MY_USERNAME/.emacs - echo $';; ===== Enable shift select in org mode ================================' >> /home/$MY_USERNAME/.emacs - echo '' >> /home/$MY_USERNAME/.emacs - echo '(setq org-support-shift-select t)' >> /home/$MY_USERNAME/.emacs - echo '' >> /home/$MY_USERNAME/.emacs - echo $';; ===== Set standard indent to 4 rather that 4 =========================' >> /home/$MY_USERNAME/.emacs - echo '' >> /home/$MY_USERNAME/.emacs - echo '(setq standard-indent 4)' >> /home/$MY_USERNAME/.emacs - echo '(setq-default tab-width 4)' >> /home/$MY_USERNAME/.emacs - echo '(setq c-basic-offset 4)' >> /home/$MY_USERNAME/.emacs - echo '' >> /home/$MY_USERNAME/.emacs - echo $';; ===== Support Wheel Mouse Scrolling ==================================' >> /home/$MY_USERNAME/.emacs - echo '' >> /home/$MY_USERNAME/.emacs - echo '(mouse-wheel-mode t)' >> /home/$MY_USERNAME/.emacs - echo '' >> /home/$MY_USERNAME/.emacs - echo $';; ===== Place Backup Files in Specific Directory =======================' >> /home/$MY_USERNAME/.emacs - echo '' >> /home/$MY_USERNAME/.emacs - echo '(setq make-backup-files t)' >> /home/$MY_USERNAME/.emacs - echo '(setq version-control t)' >> /home/$MY_USERNAME/.emacs - echo '(setq backup-directory-alist (quote ((".*" . "~/.emacs_backups/"))))' >> /home/$MY_USERNAME/.emacs - echo '' >> /home/$MY_USERNAME/.emacs - echo $';; ===== Make Text mode the default mode for new buffers ================' >> /home/$MY_USERNAME/.emacs - echo '' >> /home/$MY_USERNAME/.emacs - echo "(setq default-major-mode 'text-mode)" >> /home/$MY_USERNAME/.emacs - echo '' >> /home/$MY_USERNAME/.emacs - echo $';; ===== Line length ====================================================' >> /home/$MY_USERNAME/.emacs - echo '' >> /home/$MY_USERNAME/.emacs - echo '(setq-default fill-column 72)' >> /home/$MY_USERNAME/.emacs - echo '' >> /home/$MY_USERNAME/.emacs - echo $';; ===== Enable Line and Column Numbering ===============================' >> /home/$MY_USERNAME/.emacs - echo '' >> /home/$MY_USERNAME/.emacs - echo '(line-number-mode 1)' >> /home/$MY_USERNAME/.emacs - echo '(column-number-mode 1)' >> /home/$MY_USERNAME/.emacs - echo '' >> /home/$MY_USERNAME/.emacs - echo $';; ===== Turn on Auto Fill mode automatically in all modes ==============' >> /home/$MY_USERNAME/.emacs - echo '' >> /home/$MY_USERNAME/.emacs - echo ';; Auto-fill-mode the the automatic wrapping of lines and insertion of' >> /home/$MY_USERNAME/.emacs - echo ';; newlines when the cursor goes over the column limit.' >> /home/$MY_USERNAME/.emacs - echo '' >> /home/$MY_USERNAME/.emacs - echo ';; This should actually turn on auto-fill-mode by default in all major' >> /home/$MY_USERNAME/.emacs - echo ';; modes. The other way to do this is to turn on the fill for specific modes' >> /home/$MY_USERNAME/.emacs - echo ';; via hooks.' >> /home/$MY_USERNAME/.emacs - echo '' >> /home/$MY_USERNAME/.emacs - echo '(setq auto-fill-mode 1)' >> /home/$MY_USERNAME/.emacs - echo '' >> /home/$MY_USERNAME/.emacs - echo $';; ===== Enable GPG encryption =========================================' >> /home/$MY_USERNAME/.emacs - echo '' >> /home/$MY_USERNAME/.emacs - echo "(require 'epa)" >> /home/$MY_USERNAME/.emacs - echo '(epa-file-enable)' >> /home/$MY_USERNAME/.emacs - cp /home/$MY_USERNAME/.emacs /root/.emacs - chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.emacs - - echo 'install_editor' >> $COMPLETION_FILE -} - -function enable_zram { - if grep -Fxq "enable_zram" $COMPLETION_FILE; then - return - fi - - if [[ $INSTALLED_WITHIN_DOCKER == "yes" || $INSTALLING_ON_BBB != "yes" ]]; then - ${PROJECT_NAME}-zram off - return - fi - - ${PROJECT_NAME}-zram on - - echo 'enable_zram' >> $COMPLETION_FILE -} - -function check_onerng_verification { - if grep -Fxq "check_onerng_verification" $COMPLETION_FILE; then - return - fi - if [[ $HWRNG_TYPE != "onerng" ]]; then - return - fi - echo $'Checking OneRNG firmware verification' - last_onerng_validation=$(cat /var/log/syslog.1 | grep "OneRNG: firmware verification" | awk '/./{line=$0} END{print line}') - if [[ $last_onerng_validation != *"passed OK"* ]]; then - last_onerng_validation=$(cat /var/log/syslog | grep "OneRNG: firmware verification" | awk '/./{line=$0} END{print line}') - if [[ $last_onerng_validation != *"passed OK"* ]]; then - echo $last_onerng_validation - echo $'OneRNG firmware verification failed' - exit 735026 - fi - fi - echo $'OneRNG firmware verification passed' - # if haveged was previously installed then remove it - apt-get -y remove haveged - echo 'check_onerng_verification' >> $COMPLETION_FILE -} - -function install_onerng { - apt-get -y install rng-tools at python-gnupg - - # Move to the installation directory - if [ ! -d $INSTALL_DIR ]; then - mkdir $INSTALL_DIR - fi - cd $INSTALL_DIR - - # Download the package - if [ ! -f $ONERNG_PACKAGE ]; then - wget $ONERNG_PACKAGE_DOWNLOAD - mv "$ONERNG_PACKAGE?raw=true" $ONERNG_PACKAGE - fi - if [ ! -f $ONERNG_PACKAGE ]; then - echo $"OneRNG package could not be downloaded" - exit 59249 - fi - - # Check the hash - hash=$(sha256sum $ONERNG_PACKAGE | awk -F ' ' '{print $1}') - if [[ $hash != $ONERNG_PACKAGE_HASH ]]; then - echo $"OneRNG package: $ONERNG_PACKAGE" - echo $"Hash does not match. This could indicate that the package has been tampered with." - echo $"OneRNG expected package hash: $ONERNG_PACKAGE_HASH" - echo $"OneRNG actual hash: $hash" - exit 25934 - fi - - # install the package - dpkg -i $ONERNG_PACKAGE - - # Check that the install worked - if [ ! -f /etc/onerng.conf ]; then - echo $'OneRNG configuration file not found. The package may not have installed successfully.' - exit 42904 - fi - - dialog --title $"OneRNG Device" \ - --msgbox $"Please plug in the OneRNG device" 6 40 - - # check rng-tools configuration - if ! grep -q "/dev/$ONERNG_DEVICE" /etc/default/rng-tools; then - echo "HRNGDEVICE=/dev/$ONERNG_DEVICE" >> /etc/default/rng-tools - fi - - systemctl restart rng-tools -} - -function random_number_generator { - if grep -Fxq "random_number_generator" $COMPLETION_FILE; then - return - fi - if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then - # it is assumed that docker uses the random number - # generator of the host system - return - fi - - # if the hrng type has not been set but /dev/hwrng is detected - if [[ $HWRNG_TYPE != "beaglebone" ]]; then - if [ -e /dev/hwrng ]; then - HWRNG_TYPE="beaglebone" - fi - fi - - case $HWRNG_TYPE in - beaglebone) - apt-get -y install rng-tools - sed -i 's|#HRNGDEVICE=/dev/hwrng|HRNGDEVICE=/dev/hwrng|g' /etc/default/rng-tools - ;; - onerng) - install_onerng - ;; - *) - apt-get -y install haveged - ;; - esac - - echo 'random_number_generator' >> $COMPLETION_FILE -} - -function configure_ssh { - if grep -Fxq "configure_ssh" $COMPLETION_FILE; then - return - fi - sed -i "s/Port .*/Port $SSH_PORT/g" /etc/ssh/sshd_config - sed -i 's/PermitRootLogin.*/PermitRootLogin no/g' /etc/ssh/sshd_config - sed -i 's/X11Forwarding.*/X11Forwarding no/g' /etc/ssh/sshd_config - sed -i 's/ServerKeyBits.*/ServerKeyBits 4096/g' /etc/ssh/sshd_config - sed -i 's/TCPKeepAlive.*/TCPKeepAlive no/g' /etc/ssh/sshd_config - sed -i 's|HostKey /etc/ssh/ssh_host_dsa_key|#HostKey /etc/ssh/ssh_host_dsa_key|g' /etc/ssh/sshd_config - sed -i 's|HostKey /etc/ssh/ssh_host_ecdsa_key|#HostKey /etc/ssh/ssh_host_ecdsa_key|g' /etc/ssh/sshd_config - if ! grep -q 'DebianBanner' /etc/ssh/sshd_config; then - echo 'DebianBanner no' >> /etc/ssh/sshd_config - else - sed -i 's|DebianBanner.*|DebianBanner no|g' /etc/ssh/sshd_config - fi - if grep -q 'ClientAliveInterval' /etc/ssh/sshd_config; then - sed -i 's/ClientAliveInterval.*/ClientAliveInterval 60/g' /etc/ssh/sshd_config - else - echo 'ClientAliveInterval 60' >> /etc/ssh/sshd_config - fi - if grep -q 'ClientAliveCountMax' /etc/ssh/sshd_config; then - sed -i 's/ClientAliveCountMax.*/ClientAliveCountMax 3/g' /etc/ssh/sshd_config - else - echo 'ClientAliveCountMax 3' >> /etc/ssh/sshd_config - fi - if grep -q 'Ciphers' /etc/ssh/sshd_config; then - sed -i "s|Ciphers.*|Ciphers $SSH_CIPHERS|g" /etc/ssh/sshd_config - else - echo "Ciphers $SSH_CIPHERS" >> /etc/ssh/sshd_config - fi - if grep -q 'MACs' /etc/ssh/sshd_config; then - sed -i "s|MACs.*|MACs $SSH_MACS|g" /etc/ssh/sshd_config - else - echo "MACs $SSH_MACS" >> /etc/ssh/sshd_config - fi - if grep -q 'KexAlgorithms' /etc/ssh/sshd_config; then - sed -i "s|KexAlgorithms.*|KexAlgorithms $SSH_KEX|g" /etc/ssh/sshd_config - else - echo "KexAlgorithms $SSH_KEX" >> /etc/ssh/sshd_config - fi - - apt-get -y install fail2ban - echo 'configure_ssh' >> $COMPLETION_FILE -} - -function configure_ssh_onion { - if grep -Fxq "configure_ssh_onion" $COMPLETION_FILE; then - return - fi - if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - - SSH_ONION_HOSTNAME=$(add_onion_service ssh ${SSH_PORT} ${SSH_PORT}) - - if ! grep -q "ssh onion domain" $COMPLETION_FILE; then - echo "ssh onion domain:${SSH_ONION_HOSTNAME}" >> $COMPLETION_FILE - else - sed -i "s|ssh onion domain.*|ssh onion domain:${SSH_ONION_HOSTNAME}|g" $COMPLETION_FILE - fi - - echo 'configure_ssh_onion' >> $COMPLETION_FILE -} - -# see https://stribika.github.io/2015/01/04/secure-secure-shell.html -function ssh_remove_small_moduli { - awk '$5 > 2000' /etc/ssh/moduli > ~/moduli - mv ~/moduli /etc/ssh/moduli -} - -function configure_ssh_client { - if grep -Fxq "configure_ssh_client" $COMPLETION_FILE; then - return - fi - #sed -i 's/# PasswordAuthentication.*/ PasswordAuthentication no/g' /etc/ssh/ssh_config - #sed -i 's/# ChallengeResponseAuthentication.*/ ChallengeResponseAuthentication no/g' /etc/ssh/ssh_config - sed -i "s/# HostKeyAlgorithms.*/ HostKeyAlgorithms $SSH_HOST_KEY_ALGORITHMS/g" /etc/ssh/ssh_config - sed -i "s/# Ciphers.*/ Ciphers $SSH_CIPHERS/g" /etc/ssh/ssh_config - sed -i "s/# MACs.*/ MACs $SSH_MACS/g" /etc/ssh/ssh_config - if ! grep -q "HostKeyAlgorithms" /etc/ssh/ssh_config; then - echo " HostKeyAlgorithms $SSH_HOST_KEY_ALGORITHMS" >> /etc/ssh/ssh_config - fi - sed -i "s/Ciphers.*/Ciphers $SSH_CIPHERS/g" /etc/ssh/ssh_config - if ! grep -q "Ciphers " /etc/ssh/ssh_config; then - echo " Ciphers $SSH_CIPHERS" >> /etc/ssh/ssh_config - fi - sed -i "s/MACs.*/MACs $SSH_MACS/g" /etc/ssh/ssh_config - if ! grep -q "MACs " /etc/ssh/ssh_config; then - echo " MACs $SSH_MACS" >> /etc/ssh/ssh_config - fi - - # Create ssh keys - if [ ! -f ~/.ssh/id_ed25519 ]; then - ssh-keygen -t ed25519 -o -a 100 - fi - if [ ! -f ~/.ssh/id_rsa ]; then - ssh-keygen -t rsa -b 4096 -o -a 100 - fi - - ssh_remove_small_moduli - echo 'configure_ssh_client' >> $COMPLETION_FILE -} - -function regenerate_ssh_keys { - if grep -Fxq "regenerate_ssh_keys" $COMPLETION_FILE; then - return - fi - rm -f /etc/ssh/ssh_host_* - dpkg-reconfigure openssh-server - ssh_remove_small_moduli - systemctl restart ssh - echo 'regenerate_ssh_keys' >> $COMPLETION_FILE -} - -function configure_dns { - if grep -Fxq "configure_dns" $COMPLETION_FILE; then - return - fi - echo 'domain localdomain' > /etc/resolv.conf - echo 'search localdomain' >> /etc/resolv.conf - echo "nameserver $NAMESERVER1" >> /etc/resolv.conf - echo "nameserver $NAMESERVER2" >> /etc/resolv.conf - - # prevent resolv.conf from changing - chattr +i /etc/resolv.conf - - echo 'configure_dns' >> $COMPLETION_FILE -} - -function set_hostname { - DEFAULT_DOMAIN_NAME="$1" - - echo "$DEFAULT_DOMAIN_NAME" > /etc/hostname - hostname $DEFAULT_DOMAIN_NAME - - if grep -q "127.0.1.1" /etc/hosts; then - sed -i "s/127.0.1.1.*/127.0.1.1 $DEFAULT_DOMAIN_NAME/g" /etc/hosts - else - echo "127.0.1.1 $DEFAULT_DOMAIN_NAME" >> /etc/hosts - fi -} - -function set_your_domain_name { - if grep -Fxq "set_your_domain_name" $COMPLETION_FILE; then - return - fi - - set_hostname $DEFAULT_DOMAIN_NAME - - echo 'set_your_domain_name' >> $COMPLETION_FILE -} - -function time_synchronisation { - # mesh peers typically don't sync over the internet - if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - - if [ -f /usr/local/bin/${PROJECT_NAME}-update-date ]; then - cp /usr/local/bin/${PROJECT_NAME}-update-date /usr/bin/updatedate - else - cp /usr/bin/${PROJECT_NAME}-update-date /usr/bin/updatedate - fi - chmod +x /usr/bin/updatedate - - if grep -Fxq "time_synchronisation" $COMPLETION_FILE; then - return - fi - - apt-get -y install tlsdate - apt-get -y remove ntpdate - - echo '*/15 * * * * root /usr/bin/updatedate' >> /etc/crontab - systemctl restart cron - - echo 'time_synchronisation' >> $COMPLETION_FILE -} - -function time_synchronisation_tlsdate { - # mesh peers typically don't sync over the internet - if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - - if [ -f /usr/local/bin/${PROJECT_NAME}-update-date ]; then - cp /usr/local/bin/${PROJECT_NAME}-update-date /usr/bin/updatedate - else - cp /usr/bin/${PROJECT_NAME}-update-date /usr/bin/updatedate - fi - chmod +x /usr/bin/updatedate - - if [ ! -d $INSTALL_DIR ]; then - mkdir -p $INSTALL_DIR - fi - set_repo_commit $INSTALL_DIR/tlsdate "tlsdate commit" "$TLSDATE_COMMIT" $TLSDATE_REPO - - if grep -Fxq "time_synchronisation_tlsdate" $COMPLETION_FILE; then - return - fi - - apt-get -y remove tlsdate ntpdate - apt-get -y install build-essential autoconf libevent-dev - - cd $INSTALL_DIR - git_clone $TLSDATE_REPO $INSTALL_DIR/tlsdate - cd $INSTALL_DIR/tlsdate - git checkout $TLSDATE_COMMIT -b $TLSDATE_COMMIT - ./autogen.sh - ./configure - if [ ! "$?" = "0" ]; then - echo $'Unable to configure tlsdate' - exit 6825277 - fi - make - if [ ! "$?" = "0" ]; then - echo $'Unable to build tlsdate' - exit 3792726 - fi - make install - - if ! grep -q "updatedate" /etc/crontab; then - echo '*/15 * * * * root /usr/bin/updatedate' >> /etc/crontab - systemctl restart cron - fi - - echo 'time_synchronisation_tlsdate' >> $COMPLETION_FILE -} - -function configure_firewall { - if grep -q "RELATED" /etc/firewall.conf; then - # recreate the firewall to remove RELATED - sed -i "/firewall/d" $COMPLETION_FILE - fi - if grep -Fxq "configure_firewall" $COMPLETION_FILE; then - return - fi - if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then - # docker does its own firewalling - return - fi - iptables -P INPUT ACCEPT - ip6tables -P INPUT ACCEPT - iptables -F - ip6tables -F - iptables -t nat -F - ip6tables -t nat -F - iptables -X - ip6tables -X - iptables -P INPUT DROP - ip6tables -P INPUT DROP - iptables -A INPUT -i lo -j ACCEPT - iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT - - # Make sure incoming tcp connections are SYN packets - iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP - - # Drop packets with incoming fragments - iptables -A INPUT -f -j DROP - - # Drop bogons - iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP - iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP - iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP - - # Incoming malformed NULL packets: - iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP - - echo 'configure_firewall' >> $COMPLETION_FILE -} - -function configure_firewall_ping { - if grep -Fxq "configure_firewall_ping" $COMPLETION_FILE; then - return - fi - # Only allow ping for mesh installs - if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then - return - fi - iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT - iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT - save_firewall_settings - echo 'configure_firewall_ping' >> $COMPLETION_FILE -} - -function configure_firewall_for_voip { - if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then - return - fi - if grep -Fxq "configure_firewall_for_voip" $COMPLETION_FILE; then - return - fi - if [[ $ONION_ONLY != "no" ]]; then - return - fi - iptables -A INPUT -p udp --dport $VOIP_PORT -j ACCEPT - iptables -A INPUT -p tcp --dport $VOIP_PORT -j ACCEPT - save_firewall_settings - echo 'configure_firewall_for_voip' >> $COMPLETION_FILE -} - -function configure_firewall_for_syncthing { - if grep -Fxq "configure_firewall_for_syncthing" $COMPLETION_FILE; then - return - fi - iptables -A INPUT -p udp --dport $SYNCTHING_PORT -j ACCEPT - iptables -A INPUT -p tcp --dport $SYNCTHING_PORT -j ACCEPT - save_firewall_settings - echo 'configure_firewall_for_syncthing' >> $COMPLETION_FILE -} - -function configure_firewall_for_voip_turn { - if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then - return - fi - if grep -Fxq "configure_firewall_for_voip_turn" $COMPLETION_FILE; then - return - fi - if [[ $ONION_ONLY != "no" ]]; then - return - fi - iptables -A INPUT -p udp --dport $VOIP_TURN_PORT -j ACCEPT - iptables -A INPUT -p tcp --dport $VOIP_TURN_PORT -j ACCEPT - iptables -A INPUT -p tcp --dport $VOIP_TURN_TLS_PORT -j ACCEPT - save_firewall_settings - echo 'configure_firewall_for_voip_turn' >> $COMPLETION_FILE -} - - -function configure_firewall_for_sip4 { - if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then - return - fi - if grep -Fxq "configure_firewall_for_sip4" $COMPLETION_FILE; then - return - fi - if [[ $ONION_ONLY != "no" ]]; then - return - fi - iptables -A INPUT -p udp --dport $SIP_PORT -j ACCEPT - iptables -A INPUT -p tcp --dport $SIP_PORT -j ACCEPT - iptables -A INPUT -p udp --dport $SIP_TLS_PORT -j ACCEPT - iptables -A INPUT -p tcp --dport $SIP_TLS_PORT -j ACCEPT - save_firewall_settings - echo 'configure_firewall_for_sip4' >> $COMPLETION_FILE -} - -function configure_firewall_for_ipfs { - if [[ $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" ]]; then - return - fi - if grep -Fxq "configure_firewall_for_ipfs" $COMPLETION_FILE; then - return - fi - if [[ $ONION_ONLY != "no" ]]; then - return - fi - iptables -A INPUT -p tcp --dport $IPFS_PORT -j ACCEPT - save_firewall_settings - echo 'configure_firewall_for_ipfs' >> $COMPLETION_FILE -} - -function configure_firewall_for_avahi { - if grep -Fxq "configure_firewall_for_avahi" $COMPLETION_FILE; then - return - fi - iptables -A INPUT -p tcp --dport 548 -j ACCEPT - iptables -A INPUT -p udp --dport 548 -j ACCEPT - iptables -A INPUT -p tcp --dport 5353 -j ACCEPT - iptables -A INPUT -p udp --dport 5353 -j ACCEPT - iptables -A INPUT -p tcp --dport 5354 -j ACCEPT - iptables -A INPUT -p udp --dport 5354 -j ACCEPT - save_firewall_settings - echo 'configure_firewall_for_avahi' >> $COMPLETION_FILE -} - -function configure_firewall_for_cjdns { - if grep -Fxq "configure_firewall_for_cjdns" $COMPLETION_FILE; then - return - fi - if [[ $ENABLE_CJDNS != "yes" ]]; then - return - fi - ip6tables -t nat -A POSTROUTING -o tun0 -j MASQUERADE - ip6tables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT - save_firewall_settings - echo 'configure_firewall_for_cjdns' >> $COMPLETION_FILE -} - -function configure_firewall_for_batman { - if grep -Fxq "configure_firewall_for_batman" $COMPLETION_FILE; then - return - fi - if [[ $ENABLE_BATMAN != "yes" ]]; then - return - fi - - save_firewall_settings - echo 'configure_firewall_for_batman' >> $COMPLETION_FILE -} - -function configure_firewall_for_babel { - if grep -Fxq "configure_firewall_for_babel" $COMPLETION_FILE; then - return - fi - if [[ $ENABLE_BABEL != "yes" ]]; then - return - fi - iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $BABEL_PORT -j ACCEPT - save_firewall_settings - echo 'configure_firewall_for_babel' >> $COMPLETION_FILE -} - -function configure_firewall_for_zeronet { - if grep -Fxq "configure_firewall_for_zeronet" $COMPLETION_FILE; then - return - fi - if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then - return - fi - iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $ZERONET_PORT -j ACCEPT - iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $ZERONET_PORT -j ACCEPT - iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $TRACKER_PORT -j ACCEPT - iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $TRACKER_PORT -j ACCEPT - iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport 1900 -j ACCEPT - save_firewall_settings - echo 'configure_firewall_for_zeronet' >> $COMPLETION_FILE -} - -function configure_firewall_for_dlna { - if grep -Fxq "configure_firewall_for_dlna" $COMPLETION_FILE; then - return - fi - if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then - # docker does its own firewalling - return - fi - if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" ]]; then - return - fi - iptables -A INPUT -p udp --dport 1900 -j ACCEPT - iptables -A INPUT -p tcp --dport 8200 -j ACCEPT - save_firewall_settings - echo 'configure_firewall_for_dlna' >> $COMPLETION_FILE -} - -function configure_firewall_for_dns { - if grep -Fxq "configure_firewall_for_dns" $COMPLETION_FILE; then - return - fi - if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then - # docker does its own firewalling - return - fi - iptables -A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT - save_firewall_settings - echo 'configure_firewall_for_dns' >> $COMPLETION_FILE -} - -function configure_firewall_for_xmpp { - if [ ! -d /etc/prosody ]; then - return - fi - if grep -Fxq "configure_firewall_for_xmpp" $COMPLETION_FILE; then - return - fi - if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then - # docker does its own firewalling - return - fi - if [[ $ONION_ONLY != "no" ]]; then - return - fi - iptables -A INPUT -p tcp --dport 5222:5223 -j ACCEPT - iptables -A INPUT -p tcp --dport 5269 -j ACCEPT - iptables -A INPUT -p tcp --dport 5280:5281 -j ACCEPT - save_firewall_settings - echo 'configure_firewall_for_xmpp' >> $COMPLETION_FILE -} - -function configure_firewall_for_irc { - if [ ! -d /etc/ngircd ]; then - return - fi - if grep -Fxq "configure_firewall_for_irc" $COMPLETION_FILE; then - return - fi - if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then - # docker does its own firewalling - return - fi - if [[ $ONION_ONLY != "no" ]]; then - return - fi - iptables -A INPUT -p tcp --dport $IRC_PORT -j ACCEPT - iptables -I INPUT -p tcp --dport 1024:65535 --sport $IRC_PORT -j ACCEPT - save_firewall_settings - echo 'configure_firewall_for_irc' >> $COMPLETION_FILE -} - -function configure_firewall_for_ftp { - if grep -Fxq "configure_firewall_for_ftp" $COMPLETION_FILE; then - return - fi - if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then - # docker does its own firewalling - return - fi - if [[ $ONION_ONLY != "no" ]]; then - return - fi - iptables -I INPUT -p tcp --dport 1024:65535 --sport 20:21 -j ACCEPT - save_firewall_settings - echo 'configure_firewall_for_ftp' >> $COMPLETION_FILE -} - -function configure_firewall_for_web_access { - if grep -Fxq "configure_firewall_for_web_access" $COMPLETION_FILE; then - return - fi - if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then - # docker does its own firewalling - return - fi - if [[ $ONION_ONLY != "no" ]]; then - return - fi - iptables -A INPUT -p tcp --dport 32768:61000 --sport 80 -j ACCEPT - iptables -A INPUT -p tcp --dport 32768:61000 --sport 443 -j ACCEPT - save_firewall_settings - echo 'configure_firewall_for_web_access' >> $COMPLETION_FILE -} - -function configure_firewall_for_web_server { - if grep -Fxq "configure_firewall_for_web_server" $COMPLETION_FILE; then - return - fi - if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then - # docker does its own firewalling - return - fi - if [[ $ONION_ONLY != "no" ]]; then - return - fi - iptables -A INPUT -p tcp --dport 80 -j ACCEPT - iptables -A INPUT -p tcp --dport 443 -j ACCEPT - save_firewall_settings - echo 'configure_firewall_for_web_server' >> $COMPLETION_FILE -} - -function configure_firewall_for_tox { - if grep -Fxq "configure_firewall_for_tox" $COMPLETION_FILE; then - return - fi - if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then - # docker does its own firewalling - return - fi - if [[ $ONION_ONLY != "no" ]]; then - return - fi - iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT - save_firewall_settings - echo 'configure_firewall_for_tox' >> $COMPLETION_FILE -} - -function configure_firewall_for_ssh { - if grep -Fxq "configure_firewall_for_ssh" $COMPLETION_FILE; then - return - fi - if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then - # docker does its own firewalling - return - fi - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A INPUT -p tcp --dport $SSH_PORT -j ACCEPT - save_firewall_settings - echo 'configure_firewall_for_ssh' >> $COMPLETION_FILE -} - -function configure_firewall_for_git { - if grep -Fxq "configure_firewall_for_git" $COMPLETION_FILE; then - return - fi - if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then - # docker does its own firewalling - return - fi - if [[ $ONION_ONLY != "no" ]]; then - return - fi - iptables -A INPUT -p tcp --dport 9418 -j ACCEPT - save_firewall_settings - echo 'configure_firewall_for_git' >> $COMPLETION_FILE -} - -function configure_firewall_for_email { - if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" ]]; then - return - fi - if grep -Fxq "configure_firewall_for_email" $COMPLETION_FILE; then - return - fi - if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then - # docker does its own firewalling - return - fi - if [[ $ONION_ONLY != "no" ]]; then - return - fi - iptables -A INPUT -p tcp --dport 25 -j ACCEPT - iptables -A INPUT -p tcp --dport 587 -j ACCEPT - iptables -A INPUT -p tcp --dport 465 -j ACCEPT - iptables -A INPUT -p tcp --dport 993 -j ACCEPT - save_firewall_settings - echo 'configure_firewall_for_email' >> $COMPLETION_FILE -} - -function configure_internet_protocol { - if grep -Fxq "configure_internet_protocol" $COMPLETION_FILE; then - return - fi - if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - sed -i "s/#net.ipv4.tcp_syncookies=1/net.ipv4.tcp_syncookies=1/g" /etc/sysctl.conf - sed -i "s/#net.ipv4.conf.all.accept_redirects = 0/net.ipv4.conf.all.accept_redirects = 0/g" /etc/sysctl.conf - sed -i "s/#net.ipv6.conf.all.accept_redirects = 0/net.ipv6.conf.all.accept_redirects = 0/g" /etc/sysctl.conf - sed -i "s/#net.ipv4.conf.all.send_redirects = 0/net.ipv4.conf.all.send_redirects = 0/g" /etc/sysctl.conf - sed -i "s/#net.ipv4.conf.all.accept_source_route = 0/net.ipv4.conf.all.accept_source_route = 0/g" /etc/sysctl.conf - sed -i "s/#net.ipv6.conf.all.accept_source_route = 0/net.ipv6.conf.all.accept_source_route = 0/g" /etc/sysctl.conf - sed -i "s/#net.ipv4.conf.default.rp_filter=1/net.ipv4.conf.default.rp_filter=1/g" /etc/sysctl.conf - sed -i "s/#net.ipv4.conf.all.rp_filter=1/net.ipv4.conf.all.rp_filter=1/g" /etc/sysctl.conf - sed -i "s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=0/g" /etc/sysctl.conf - sed -i "s/#net.ipv6.conf.all.forwarding=1/net.ipv6.conf.all.forwarding=0/g" /etc/sysctl.conf - if ! grep -q "ignore pings" /etc/sysctl.conf; then - echo '# ignore pings' >> /etc/sysctl.conf - echo 'net.ipv4.icmp_echo_ignore_all = 1' >> /etc/sysctl.conf - echo 'net.ipv6.icmp_echo_ignore_all = 1' >> /etc/sysctl.conf - fi - if ! grep -q "disable ipv6" /etc/sysctl.conf; then - echo '# disable ipv6' >> /etc/sysctl.conf - echo 'net.ipv6.conf.all.disable_ipv6 = 1' >> /etc/sysctl.conf - fi - if ! grep -q "net.ipv4.tcp_synack_retries" /etc/sysctl.conf; then - echo 'net.ipv4.tcp_synack_retries = 2' >> /etc/sysctl.conf - echo 'net.ipv4.tcp_syn_retries = 1' >> /etc/sysctl.conf - fi - if ! grep -q "keepalive" /etc/sysctl.conf; then - echo '# keepalive' >> /etc/sysctl.conf - echo 'net.ipv4.tcp_keepalive_probes = 9' >> /etc/sysctl.conf - echo 'net.ipv4.tcp_keepalive_intvl = 75' >> /etc/sysctl.conf - echo 'net.ipv4.tcp_keepalive_time = 7200' >> /etc/sysctl.conf - fi - echo 'configure_internet_protocol' >> $COMPLETION_FILE -} - -function install_command_line_browser { - if grep -Fxq "install_command_line_browser" $COMPLETION_FILE; then - return - fi - apt-get -y install elinks - - # set the home page - if ! grep -q "WWW_HOME" /home/$MY_USERNAME/.bashrc; then - if ! grep -q 'control' /home/$MY_USERNAME/.bashrc; then - echo "export WWW_HOME=$DEFAULT_SEARCH" >> /home/$MY_USERNAME/.bashrc - else - sed -i "/control/i export WWW_HOME=$DEFAULT_SEARCH" /home/$MY_USERNAME/.bashrc - fi - fi - - echo 'install_command_line_browser' >> $COMPLETION_FILE -} - -function configure_email { - if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - if grep -Fxq "configure_email" $COMPLETION_FILE; then - return - fi - apt-get -y remove postfix - apt-get -y install exim4 sasl2-bin swaks libnet-ssleay-perl procmail xinetd - - if [ ! -d /etc/exim4 ]; then - echo $"ERROR: Exim does not appear to have installed. $CHECK_MESSAGE" - exit 48 - fi - - onion_service_name='email' - if [ ! -d /var/lib/tor ]; then - echo $"No Tor installation found. ${onion_service_name} onion site cannot be configured." - exit 877367 - fi - if ! grep -q "hidden_service_${onion_service_name}" /etc/tor/torrc; then - echo "HiddenServiceDir /var/lib/tor/hidden_service_${onion_service_name}/" >> /etc/tor/torrc - echo 'HiddenServicePort 25 127.0.0.1:25' >> /etc/tor/torrc - echo 'HiddenServicePort 587 127.0.0.1:587' >> /etc/tor/torrc - echo 'HiddenServicePort 465 127.0.0.1:465' >> /etc/tor/torrc - echo 'HiddenServicePort 993 127.0.0.1:993' >> /etc/tor/torrc - echo $"Added onion site for ${onion_service_name}" - fi - - systemctl restart tor - wait_for_onion_service ${onion_service_name} - - if [ ! -f /var/lib/tor/hidden_service_${onion_service_name}/hostname ]; then - echo $"${onion_service_name} onion site hostname not found" - exit 76362 - fi - EMAIL_ONION_HOSTNAME=$(cat /var/lib/tor/hidden_service_${onion_service_name}/hostname) - - if [[ $ONION_ONLY != "no" ]]; then - set_hostname ${EMAIL_ONION_HOSTNAME} - MY_EMAIL_ADDRESS=${MY_USERNAME}@${DEFAULT_DOMAIN_NAME} - fi - if ! grep -q "Email onion domain" $COMPLETION_FILE; then - echo "Email onion domain:${EMAIL_ONION_HOSTNAME}" >> $COMPLETION_FILE - else - sed -i "s|Email onion domain.*|Email onion domain:${EMAIL_ONION_HOSTNAME}|g" $COMPLETION_FILE - fi - - # see https://github.com/petterreinholdtsen/exim4-smtorp - echo '# tor stuff first' > /etc/exim4/conf.d/router/100_exim4-smtorp - echo '#' >> /etc/exim4/conf.d/router/100_exim4-smtorp - echo '# if were submitting mail *from* a .tor/.onion address,' >> /etc/exim4/conf.d/router/100_exim4-smtorp - echo '# make sure any header lines that may give us away is' >> /etc/exim4/conf.d/router/100_exim4-smtorp - echo '# stripped out, and add a new, cryptic Message-ID.' >> /etc/exim4/conf.d/router/100_exim4-smtorp - echo '# In address_data we store the name we should HELO as.' >> /etc/exim4/conf.d/router/100_exim4-smtorp - echo 'tor_to_any:' >> /etc/exim4/conf.d/router/100_exim4-smtorp - echo ' debug_print = "R: manualroute from .onion to $local_part@$domain"' >> /etc/exim4/conf.d/router/100_exim4-smtorp - echo ' driver = manualroute' >> /etc/exim4/conf.d/router/100_exim4-smtorp - echo ' domains = ! +local_domains' >> /etc/exim4/conf.d/router/100_exim4-smtorp - echo ' condition = ${if match {$sender_address_domain}{\N.*\.(onion|tor)$\N}}' >> /etc/exim4/conf.d/router/100_exim4-smtorp - echo ' address_data = $sender_address_domain' >> /etc/exim4/conf.d/router/100_exim4-smtorp - echo ' transport = remote_smtp_onion' >> /etc/exim4/conf.d/router/100_exim4-smtorp - echo ' self = send' >> /etc/exim4/conf.d/router/100_exim4-smtorp - echo ' route_list = * localhost' >> /etc/exim4/conf.d/router/100_exim4-smtorp - echo ' headers_remove = Received:Message-ID:X-Mailer:User-Agent' >> /etc/exim4/conf.d/router/100_exim4-smtorp - echo ' headers_add = Message-ID: <${lc:${sha1:$message_id}}@$sender_address_domain>' >> /etc/exim4/conf.d/router/100_exim4-smtorp - echo '' >> /etc/exim4/conf.d/router/100_exim4-smtorp - echo '# this catches the case where were submitting mail' >> /etc/exim4/conf.d/router/100_exim4-smtorp - echo '# from a regular email address where we dont need to' >> /etc/exim4/conf.d/router/100_exim4-smtorp - echo '# rewrite any headers' >> /etc/exim4/conf.d/router/100_exim4-smtorp - echo 'any_to_tor:' >> /etc/exim4/conf.d/router/100_exim4-smtorp - echo ' debug_print = "R: manualroute for $local_part@$domain"' >> /etc/exim4/conf.d/router/100_exim4-smtorp - echo ' driver = manualroute' >> /etc/exim4/conf.d/router/100_exim4-smtorp - echo ' domains = ! +local_domains' >> /etc/exim4/conf.d/router/100_exim4-smtorp - echo ' transport = remote_smtp_onion' >> /etc/exim4/conf.d/router/100_exim4-smtorp - echo ' self = send' >> /etc/exim4/conf.d/router/100_exim4-smtorp - echo ' route_list = *.onion localhost ; *.tor localhost' >> /etc/exim4/conf.d/router/100_exim4-smtorp - echo ' address_data = $smtp_active_hostname' >> /etc/exim4/conf.d/router/100_exim4-smtorp - - echo 'remote_smtp_onion:' > /etc/exim4/conf.d/transport/100_exim4-smtorp - echo ' debug_print = "T: remote_smtp_onion for $local_part@$original_domain"' >> /etc/exim4/conf.d/transport/100_exim4-smtorp - echo ' driver = smtp' >> /etc/exim4/conf.d/transport/100_exim4-smtorp - echo '' >> /etc/exim4/conf.d/transport/100_exim4-smtorp - echo ' # set helo_data to where we want to connect to,' >> /etc/exim4/conf.d/transport/100_exim4-smtorp - echo ' # for the proxy program tor-smtp' >> /etc/exim4/conf.d/transport/100_exim4-smtorp - echo ' helo_data = "$address_data $original_domain"' >> /etc/exim4/conf.d/transport/100_exim4-smtorp - echo '' >> /etc/exim4/conf.d/transport/100_exim4-smtorp - echo ' # wherever we configured our script at' >> /etc/exim4/conf.d/transport/100_exim4-smtorp - echo ' port = 12668' >> /etc/exim4/conf.d/transport/100_exim4-smtorp - echo '' >> /etc/exim4/conf.d/transport/100_exim4-smtorp - echo ' # cannot use TLS otherwise it will EHLO again!!' >> /etc/exim4/conf.d/transport/100_exim4-smtorp - echo ' hosts_avoid_tls = *' >> /etc/exim4/conf.d/transport/100_exim4-smtorp - - if [ ! -d $INSTALL_DIR ]; then - mkdir -p $INSTALL_DIR - fi - cd $INSTALL_DIR - git_clone $EXIM_ONION_REPO $INSTALL_DIR/exim4-smtorp - cd $INSTALL_DIR/exim4-smtorp/tor-smtp - make - if [ ! -f $INSTALL_DIR/exim4-smtorp/tor-smtp/tor-smtp ]; then - echo $'Unable to make tor smtp transport' - exit 52629 - fi - if [ ! -d /usr/lib/exim4-smtorp ]; then - mkdir /usr/lib/exim4-smtorp - fi - cp $INSTALL_DIR/exim4-smtorp/tor-smtp/tor-smtp /usr/lib/exim4-smtorp/tor-smtp - if [ ! -f /usr/lib/exim4-smtorp/tor-smtp ]; then - echo $'Unable to copy tor-smtp' - exit 83503 - fi - cp $INSTALL_DIR/exim4-smtorp/xinetd /etc/xinetd.d/tor-smtp - if [ ! -f /etc/xinetd.d/tor-smtp ]; then - echo $'Unable to copy to xinetd.d' - exit 835954 - fi - systemctl restart xinetd - - # configure for Maildir format - sed -i 's/MAIL_DIR/#MAIL_DIR/g' /etc/login.defs - sed -i 's|#MAIL_FILE.*|MAIL_FILE Maildir/|g' /etc/login.defs - - if ! grep -q "export MAIL" /etc/profile; then - echo 'export MAIL=~/Maildir' >> /etc/profile - fi - - sed -i 's|pam_mail.so standard|pam_mail.so dir=~/Maildir standard|g' /etc/pam.d/login - sed -i 's|pam_mail.so standard noenv|pam_mail.so dir=~/Maildir standard|g' /etc/pam.d/sshd - sed -i 's|pam_mail.so nopen|pam_mail.so dir=~/Maildir nopen|g' /etc/pam.d/su - - echo 'dc_eximconfig_configtype="internet"' > /etc/exim4/update-exim4.conf.conf - if [[ $ONION_ONLY == "no" ]]; then - # both ICANN and onion domains - echo "dc_other_hostnames='${DEFAULT_DOMAIN_NAME};${EMAIL_ONION_HOSTNAME}'" >> /etc/exim4/update-exim4.conf.conf - else - echo "dc_other_hostnames='${EMAIL_ONION_HOSTNAME}'" >> /etc/exim4/update-exim4.conf.conf - fi - echo "dc_local_interfaces=''" >> /etc/exim4/update-exim4.conf.conf - echo "dc_readhost=''" >> /etc/exim4/update-exim4.conf.conf - echo "dc_relay_domains=''" >> /etc/exim4/update-exim4.conf.conf - echo "dc_minimaldns='false'" >> /etc/exim4/update-exim4.conf.conf - RELAY_NETS='192.168.1.0/24' - if [ $LOCAL_NETWORK_STATIC_IP_ADDRESS ]; then - RELAY_NETS=$(echo $LOCAL_NETWORK_STATIC_IP_ADDRESS | awk -F '.' '{print $1 "." $2 "." $3 ".0/24"}') - fi - echo "dc_relay_nets='$RELAY_NETS'" >> /etc/exim4/update-exim4.conf.conf - echo "dc_smarthost=''" >> /etc/exim4/update-exim4.conf.conf - echo "CFILEMODE='644'" >> /etc/exim4/update-exim4.conf.conf - echo "dc_use_split_config='false'" >> /etc/exim4/update-exim4.conf.conf - echo "dc_hide_mailname=''" >> /etc/exim4/update-exim4.conf.conf - echo "dc_mailname_in_oh='true'" >> /etc/exim4/update-exim4.conf.conf - echo "dc_localdelivery='maildir_home'" >> /etc/exim4/update-exim4.conf.conf - update-exim4.conf - sed -i "s/START=no/START=yes/g" /etc/default/saslauthd - systemctl start saslauthd - - # make a tls certificate for email - if [ ! -f /etc/ssl/certs/exim.dhparam ]; then - ${PROJECT_NAME}-addcert -h exim --dhkey $DH_KEYLENGTH - check_certificates exim - fi - cp /etc/ssl/private/exim.key /etc/exim4 - cp /etc/ssl/certs/exim.crt /etc/exim4 - cp /etc/ssl/certs/exim.dhparam /etc/exim4 - chown root:Debian-exim /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam - chmod 640 /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam - - sed -i '/login_saslauthd_server/,/.endif/ s/# *//' /etc/exim4/exim4.conf.template - sed -i "/.ifdef MAIN_HARDCODE_PRIMARY_HOSTNAME/i\MAIN_HARDCODE_PRIMARY_HOSTNAME = $DEFAULT_DOMAIN_NAME\nMAIN_TLS_ENABLE = true" /etc/exim4/exim4.conf.template - sed -i "s|SMTPLISTENEROPTIONS=''|SMTPLISTENEROPTIONS='-oX 465:25:587 -oP /var/run/exim4/exim.pid'|g" /etc/default/exim4 - if ! grep -q "tls_on_connect_ports=465" /etc/exim4/exim4.conf.template; then - sed -i '/SSL configuration for exim/i\tls_on_connect_ports=465' /etc/exim4/exim4.conf.template - fi - - adduser $MY_USERNAME sasl - addgroup Debian-exim sasl - systemctl restart exim4 - if [ ! -d /etc/skel/Maildir ]; then - mkdir -m 700 /etc/skel/.mutt - mkdir -m 700 /etc/skel/Maildir - mkdir -m 700 /etc/skel/Maildir/new - mkdir -m 700 /etc/skel/Maildir/cur - mkdir -m 700 /etc/skel/Maildir/Sent - mkdir -m 700 /etc/skel/Maildir/Sent/tmp - mkdir -m 700 /etc/skel/Maildir/Sent/cur - mkdir -m 700 /etc/skel/Maildir/Sent/new - mkdir -m 700 /etc/skel/Maildir/.learn-spam - mkdir -m 700 /etc/skel/Maildir/.learn-spam/cur - mkdir -m 700 /etc/skel/Maildir/.learn-spam/new - mkdir -m 700 /etc/skel/Maildir/.learn-spam/tmp - mkdir -m 700 /etc/skel/Maildir/.learn-ham - mkdir -m 700 /etc/skel/Maildir/.learn-ham/cur - mkdir -m 700 /etc/skel/Maildir/.learn-ham/new - mkdir -m 700 /etc/skel/Maildir/.learn-ham/tmp - ln -s /etc/skel/Maildir/.learn-spam /etc/skel/Maildir/spam - ln -s /etc/skel/Maildir/.learn-ham /etc/skel/Maildir/ham - fi - - if [ ! -d /home/$MY_USERNAME/Maildir ]; then - mkdir -m 700 /home/$MY_USERNAME/.mutt - mkdir -m 700 /home/$MY_USERNAME/Maildir - mkdir -m 700 /home/$MY_USERNAME/Maildir/cur - mkdir -m 700 /home/$MY_USERNAME/Maildir/tmp - mkdir -m 700 /home/$MY_USERNAME/Maildir/new - mkdir -m 700 /home/$MY_USERNAME/Maildir/Sent - mkdir -m 700 /home/$MY_USERNAME/Maildir/Sent/cur - mkdir -m 700 /home/$MY_USERNAME/Maildir/Sent/tmp - mkdir -m 700 /home/$MY_USERNAME/Maildir/Sent/new - mkdir -m 700 /home/$MY_USERNAME/Maildir/.learn-spam - mkdir -m 700 /home/$MY_USERNAME/Maildir/.learn-spam/cur - mkdir -m 700 /home/$MY_USERNAME/Maildir/.learn-spam/new - mkdir -m 700 /home/$MY_USERNAME/Maildir/.learn-spam/tmp - mkdir -m 700 /home/$MY_USERNAME/Maildir/.learn-ham - mkdir -m 700 /home/$MY_USERNAME/Maildir/.learn-ham/cur - mkdir -m 700 /home/$MY_USERNAME/Maildir/.learn-ham/new - mkdir -m 700 /home/$MY_USERNAME/Maildir/.learn-ham/tmp - ln -s /home/$MY_USERNAME/Maildir/.learn-spam /home/$MY_USERNAME/Maildir/spam - ln -s /home/$MY_USERNAME/Maildir/.learn-ham /home/$MY_USERNAME/Maildir/ham - chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/Maildir - fi - echo 'configure_email' >> $COMPLETION_FILE -} - -function create_procmail { - if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - if grep -Fxq "create_procmail" $COMPLETION_FILE; then - return - fi - if [ ! -f /home/$MY_USERNAME/.procmailrc ]; then - echo 'MAILDIR=$HOME/Maildir' > /home/$MY_USERNAME/.procmailrc - echo 'DEFAULT=$MAILDIR/' >> /home/$MY_USERNAME/.procmailrc - echo 'LOGFILE=$HOME/log/procmail.log' >> /home/$MY_USERNAME/.procmailrc - echo 'LOGABSTRACT=all' >> /home/$MY_USERNAME/.procmailrc - echo '' >> /home/$MY_USERNAME/.procmailrc - echo $"# Tripwire reports which have no violations don't need to be logged" >> /home/$MY_USERNAME/.procmailrc - echo ':0 BD:' >> /home/$MY_USERNAME/.procmailrc - TRIPWIRE_VIOLATIONS_STR=$'Total violations found: 0' - echo " * .*$TRIPWIRE_VIOLATIONS_STR" >> /home/$MY_USERNAME/.procmailrc - echo '/dev/null' >> /home/$MY_USERNAME/.procmailrc - echo '' >> /home/$MY_USERNAME/.procmailrc - chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.procmailrc - fi - - mkdir -p /home/$MY_USERNAME/Maildir/admin/new - mkdir -p /home/$MY_USERNAME/Maildir/admin/cur - chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/Maildir/admin - - if [ ! -f /etc/skel/.procmailrc ]; then - cp /home/$MY_USERNAME/.procmailrc /etc/skel/.procmailrc - chown root:root /etc/skel/.procmailrc - fi - - echo 'create_procmail' >> $COMPLETION_FILE -} - -function handle_admin_emails { - # keep emails for root in a separate folder - if [ -d /home/$MY_USERNAME/Maildir/admin ]; then - return - fi - - freedombone-addemail -u $MY_USERNAME -e "root@$DEFAULT_DOMAIN_NAME" -g admin --public no -} - -function spam_filtering { - if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - if grep -Fxq "spam_filtering" $COMPLETION_FILE; then - return - fi - apt-get -y install exim4-daemon-heavy - apt-get -y install spamassassin - if [ ! -f /etc/default/spamassassin ]; then - echo 'Spamassassin was not installed' - exit 72570 - fi - sa-update -v - sed -i 's/ENABLED=0/ENABLED=1/g' /etc/default/spamassassin - sed -i 's/# spamd_address = 127.0.0.1 783/spamd_address = 127.0.0.1 783/g' /etc/exim4/exim4.conf.template - # This configuration is based on https://wiki.debian.org/DebianSpamAssassin - sed -i 's/local_parts = postmaster/local_parts = postmaster:abuse/g' /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt - sed -i '/domains = +local_domains : +relay_to_domains/a\ set acl_m0 = rfcnames' /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt - sed -i 's/accept/accept condition = ${if eq{$acl_m0}{rfcnames} {1}{0}}/g' /etc/exim4/conf.d/acl/40_exim4-config_check_data - echo 'warn message = X-Spam-Score: $spam_score ($spam_bar)' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data - echo ' spam = nobody:true' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data - echo 'warn message = X-Spam-Flag: YES' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data - echo ' spam = nobody' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data - echo 'warn message = X-Spam-Report: $spam_report' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data - echo ' spam = nobody' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data - echo '# reject spam at high scores (> 12)' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data - echo 'deny message = This message scored $spam_score spam points.' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data - echo ' spam = nobody:true' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data - echo ' condition = ${if >{$spam_score_int}{120}{1}{0}}' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data - # procmail configuration - echo '# get spamassassin to check emails' >> /home/$MY_USERNAME/.procmailrc - echo ':0fw: .spamassassin.lock' >> /home/$MY_USERNAME/.procmailrc - echo ' * < 256000' >> /home/$MY_USERNAME/.procmailrc - echo '| spamc' >> /home/$MY_USERNAME/.procmailrc - echo '# strong spam are discarded' >> /home/$MY_USERNAME/.procmailrc - echo ':0' >> /home/$MY_USERNAME/.procmailrc - echo ' * ^X-Spam-Level: \*\*\*\*\*\*' >> /home/$MY_USERNAME/.procmailrc - echo '/dev/null' >> /home/$MY_USERNAME/.procmailrc - echo '# weak spam are kept just in case - clear this out every now and then' >> /home/$MY_USERNAME/.procmailrc - echo ':0' >> /home/$MY_USERNAME/.procmailrc - echo ' * ^X-Spam-Level: \*\*\*\*\*' >> /home/$MY_USERNAME/.procmailrc - echo 'maybe-spam/' >> /home/$MY_USERNAME/.procmailrc - echo '# otherwise, marginal spam goes here for revision' >> /home/$MY_USERNAME/.procmailrc - echo ':0' >> /home/$MY_USERNAME/.procmailrc - echo ' * ^X-Spam-Level: \*\*' >> /home/$MY_USERNAME/.procmailrc - echo 'spam/' >> /home/$MY_USERNAME/.procmailrc - chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.procmailrc - echo '# get spamassassin to check emails' >> /etc/skel/.procmailrc - echo ':0fw: .spamassassin.lock' >> /etc/skel/.procmailrc - echo ' * < 256000' >> /etc/skel/.procmailrc - echo '| spamc' >> /etc/skel/.procmailrc - echo '# strong spam are discarded' >> /etc/skel/.procmailrc - echo ':0' >> /etc/skel/.procmailrc - echo ' * ^X-Spam-Level: \*\*\*\*\*\*' >> /etc/skel/.procmailrc - echo '/dev/null' >> /etc/skel/.procmailrc - echo '# weak spam are kept just in case - clear this out every now and then' >> /etc/skel/.procmailrc - echo ':0' >> /etc/skel/.procmailrc - echo ' * ^X-Spam-Level: \*\*\*\*\*' >> /etc/skel/.procmailrc - echo 'maybe-spam/' >> /etc/skel/.procmailrc - echo '# otherwise, marginal spam goes here for revision' >> /etc/skel/.procmailrc - echo ':0' >> /etc/skel/.procmailrc - echo ' * ^X-Spam-Level: \*\*' >> /etc/skel/.procmailrc - echo 'spam/' >> /etc/skel/.procmailrc - # filtering scripts - echo '#!/bin/bash' > /usr/bin/filterspam - echo 'for d in /home/*/ ; do' >> /usr/bin/filterspam - echo ' USERNAME=$(echo "$d" | awk -F '"'"'/'"'"' '"'"'{print $3}'"'"')' >> /usr/bin/filterspam - echo ' if [[ $USERNAME != "git" && $USERNAME != "mirrors" && $USERNAME != "sync" ]]; then' >> /usr/bin/filterspam - echo ' MAILDIR=/home/$USERNAME/Maildir/.learn-spam' >> /usr/bin/filterspam - echo ' if [ ! -d "$MAILDIR" ]; then' >> /usr/bin/filterspam - echo ' exit' >> /usr/bin/filterspam - echo ' fi' >> /usr/bin/filterspam - echo ' for f in `ls $MAILDIR/cur`' >> /usr/bin/filterspam - echo ' do' >> /usr/bin/filterspam - echo ' spamc -L spam < "$MAILDIR/cur/$f" > /dev/null' >> /usr/bin/filterspam - echo ' rm "$MAILDIR/cur/$f"' >> /usr/bin/filterspam - echo ' done' >> /usr/bin/filterspam - echo ' for f in `ls $MAILDIR/new`' >> /usr/bin/filterspam - echo ' do' >> /usr/bin/filterspam - echo ' spamc -L spam < "$MAILDIR/new/$f" > /dev/null' >> /usr/bin/filterspam - echo ' rm "$MAILDIR/new/$f"' >> /usr/bin/filterspam - echo ' done' >> /usr/bin/filterspam - echo ' fi' >> /usr/bin/filterspam - echo 'done' >> /usr/bin/filterspam - echo 'exit 0' >> /usr/bin/filterspam - - echo '#!/bin/bash' > /usr/bin/filterham - echo 'for d in /home/*/ ; do' >> /usr/bin/filterham - echo ' USERNAME=$(echo "$d" | awk -F '"'"'/'"'"' '"'"'{print $3}'"'"')' >> /usr/bin/filterham - echo ' if [[ $USERNAME != "git" && $USERNAME != "mirrors" && $USERNAME != "sync" ]]; then' >> /usr/bin/filterham - echo ' MAILDIR=/home/$USERNAME/Maildir/.learn-ham' >> /usr/bin/filterham - echo ' if [ ! -d "$MAILDIR" ]; then' >> /usr/bin/filterham - echo ' exit' >> /usr/bin/filterham - echo ' fi' >> /usr/bin/filterham - echo ' for f in `ls $MAILDIR/cur`' >> /usr/bin/filterham - echo ' do' >> /usr/bin/filterham - echo ' spamc -L ham < "$MAILDIR/cur/$f" > /dev/null' >> /usr/bin/filterham - echo ' rm "$MAILDIR/cur/$f"' >> /usr/bin/filterham - echo ' done' >> /usr/bin/filterham - echo ' for f in `ls $MAILDIR/new`' >> /usr/bin/filterham - echo ' do' >> /usr/bin/filterham - echo ' spamc -L ham < "$MAILDIR/new/$f" > /dev/null' >> /usr/bin/filterham - echo ' rm "$MAILDIR/new/$f"' >> /usr/bin/filterham - echo ' done' >> /usr/bin/filterham - echo ' fi' >> /usr/bin/filterham - echo 'done' >> /usr/bin/filterham - echo 'exit 0' >> /usr/bin/filterham - - if ! grep -q "filterspam" /etc/crontab; then - echo "*/3 * * * * root /usr/bin/timeout 120 /usr/bin/filterspam" >> /etc/crontab - fi - if ! grep -q "filterham" /etc/crontab; then - echo "*/3 * * * * root /usr/bin/timeout 120 /usr/bin/filterham" >> /etc/crontab - fi - chmod 655 /usr/bin/filterspam /usr/bin/filterham - sed -i 's/# use_bayes 1/use_bayes 1/g' /etc/mail/spamassassin/local.cf - sed -i 's/# bayes_auto_learn 1/bayes_auto_learn 1/g' /etc/mail/spamassassin/local.cf - - # user preferences - if [ ! -d /home/$MY_USERNAME/.spamassassin ]; then - mkdir /home/$MY_USERNAME/.spamassassin - echo $'# How many points before a mail is considered spam.' > /home/$MY_USERNAME/.spamassassin/user_prefs - echo '# required_score 5' >> /home/$MY_USERNAME/.spamassassin/user_prefs - echo '' >> /home/$MY_USERNAME/.spamassassin/user_prefs - echo $'# Whitelist and blacklist addresses are now file-glob-style patterns, so' >> /home/$MY_USERNAME/.spamassassin/user_prefs - echo $'# "friend@somewhere.com", "*@isp.com", or "*.domain.net" will all work.' >> /home/$MY_USERNAME/.spamassassin/user_prefs - echo '# whitelist_from someone@somewhere.com' >> /home/$MY_USERNAME/.spamassassin/user_prefs - echo '' >> /home/$MY_USERNAME/.spamassassin/user_prefs - echo $'# Add your own customised scores for some tests below. The default scores are' >> /home/$MY_USERNAME/.spamassassin/user_prefs - echo $'# read from the installed spamassassin rules files, but you can override them' >> /home/$MY_USERNAME/.spamassassin/user_prefs - echo $'# here. To see the list of tests and their default scores, go to' >> /home/$MY_USERNAME/.spamassassin/user_prefs - echo '# http://spamassassin.apache.org/tests.html .' >> /home/$MY_USERNAME/.spamassassin/user_prefs - echo '#' >> /home/$MY_USERNAME/.spamassassin/user_prefs - echo '# score SYMBOLIC_TEST_NAME n.nn' >> /home/$MY_USERNAME/.spamassassin/user_prefs - echo '' >> /home/$MY_USERNAME/.spamassassin/user_prefs - echo $'# Speakers of Asian languages, like Chinese, Japanese and Korean, will almost' >> /home/$MY_USERNAME/.spamassassin/user_prefs - echo $'# definitely want to uncomment the following lines. They will switch off some' >> /home/$MY_USERNAME/.spamassassin/user_prefs - echo $'# rules that detect 8-bit characters, which commonly trigger on mails using CJK' >> /home/$MY_USERNAME/.spamassassin/user_prefs - echo $'# character sets, or that assume a western-style charset is in use. ' >> /home/$MY_USERNAME/.spamassassin/user_prefs - echo '# ' >> /home/$MY_USERNAME/.spamassassin/user_prefs - echo '# score HTML_COMMENT_8BITS 0' >> /home/$MY_USERNAME/.spamassassin/user_prefs - echo '# score UPPERCASE_25_50 0' >> /home/$MY_USERNAME/.spamassassin/user_prefs - echo '# score UPPERCASE_50_75 0' >> /home/$MY_USERNAME/.spamassassin/user_prefs - echo '# score UPPERCASE_75_100 0' >> /home/$MY_USERNAME/.spamassassin/user_prefs - echo '# score OBSCURED_EMAIL 0' >> /home/$MY_USERNAME/.spamassassin/user_prefs - echo '' >> /home/$MY_USERNAME/.spamassassin/user_prefs - echo $'# Speakers of any language that uses non-English, accented characters may wish' >> /home/$MY_USERNAME/.spamassassin/user_prefs - echo $'# to uncomment the following lines. They turn off rules that fire on' >> /home/$MY_USERNAME/.spamassassin/user_prefs - echo $'# misformatted messages generated by common mail apps in contravention of the' >> /home/$MY_USERNAME/.spamassassin/user_prefs - echo $'# email RFCs.' >> /home/$MY_USERNAME/.spamassassin/user_prefs - echo '' >> /home/$MY_USERNAME/.spamassassin/user_prefs - echo '# score SUBJ_ILLEGAL_CHARS 0' >> /home/$MY_USERNAME/.spamassassin/user_prefs - fi - # this must be accessible by root - chown -R $MY_USERNAME:root /home/$MY_USERNAME/.spamassassin - - systemctl restart spamassassin - systemctl restart exim4 - systemctl restart cron - - echo 'spam_filtering' >> $COMPLETION_FILE -} - -function configure_imap { - if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - if grep -Fxq "configure_imap" $COMPLETION_FILE; then - return - fi - - dpkg -P dovecot-imapd - dpkg -P dovecot-core - apt-get -y install dovecot-imapd - - if [ ! -d /etc/dovecot ]; then - echo $"ERROR: Dovecot does not appear to have installed. $CHECK_MESSAGE" - exit 48 - fi - - if [ ! -f /etc/ssl/certs/dovecot.dhparam ]; then - ${PROJECT_NAME}-addcert -h dovecot --dhkey $DH_KEYLENGTH - check_certificates dovecot - fi - chown root:dovecot /etc/ssl/certs/dovecot.* - chown root:dovecot /etc/ssl/private/dovecot.* - - if [ ! -f /etc/dovecot/conf.d/10-ssl.conf ]; then - echo $'Unable to find /etc/dovecot/conf.d/10-ssl.conf' - exit 83629 - fi - sed -i 's|#ssl =.*|ssl = required|g' /etc/dovecot/conf.d/10-ssl.conf - sed -i 's|ssl = no|ssl = required|g' /etc/dovecot/conf.d/10-ssl.conf - sed -i 's|ssl = yes|ssl = required|g' /etc/dovecot/conf.d/10-ssl.conf - sed -i 's|#ssl_cert =.*|ssl_cert = > /etc/dovecot/conf.d/10-ssl.conf - - if [ ! -f /etc/dovecot/conf.d/10-master.conf ]; then - echo $'Unable to find /etc/dovecot/conf.d/10-master.conf' - exit 49259 - fi - sed -i 's/#process_limit =.*/process_limit = 100/g' /etc/dovecot/conf.d/10-master.conf - sed -i 's/#default_client_limit.*/default_client_limit = 100/g' /etc/dovecot/conf.d/10-master.conf - sed -i 's|#default_process_limit =.*|default_process_limit = 100|g' /etc/dovecot/conf.d/10-master.conf - - if [ ! -f /etc/dovecot/conf.d/10-logging.conf ]; then - echo $'Unable to find /etc/dovecot/conf.d/10-logging.conf' - exit 48936 - fi - sed -i 's/#auth_verbose.*/auth_verbose = yes/g' /etc/dovecot/conf.d/10-logging.conf - - if [ ! -f /etc/dovecot/dovecot.conf ]; then - echo $'Unable to find /etc/dovecot/dovecot.conf' - exit 43890 - fi - sed -i 's/#listen =.*/listen = */g' /etc/dovecot/dovecot.conf - - if [ ! -f /etc/dovecot/conf.d/10-auth.conf ]; then - echo $'Unable to find /etc/dovecot/conf.d/10-auth.conf' - exit 843256 - fi - sed -i 's/#disable_plaintext_auth =.*/disable_plaintext_auth = no/g' /etc/dovecot/conf.d/10-auth.conf - sed -i 's/auth_mechanisms =.*/auth_mechanisms = plain login/g' /etc/dovecot/conf.d/10-auth.conf - - if [ ! -f /etc/dovecot/conf.d/10-mail.conf ]; then - echo $'Unable to find /etc/dovecot/conf.d/10-mail.conf' - exit 42036 - fi - sed -i 's|mail_location =.*|mail_location = maildir:~/Maildir:LAYOUT=fs|g' /etc/dovecot/conf.d/10-mail.conf - - # This long notify interval makes the system more suited for use with - # battery powered mobile devices - sed -i 's|#imap_idle_notify_interval =.*|imap_idle_notify_interval = 29|g' /etc/dovecot/conf.d/20-imap.conf - - if [ -f /var/lib/dovecot/ssl-parameters.dat ]; then - rm /var/lib/dovecot/ssl-parameters.dat - fi - - systemctl restart dovecot - echo 'configure_imap' >> $COMPLETION_FILE -} - -function configure_imap_client_certs { - if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - if grep -Fxq "configure_imap_client_certs" $COMPLETION_FILE; then - return - fi - # http://strange.systems/certificate-based-auth-with-dovecot-sendmail/ - sed -i 's|#default_process_limit =.*|default_process_limit = 100|g' /etc/dovecot/conf.d/10-master.conf - sed -i 's/disable_plaintext_auth =.*/disable_plaintext_auth = yes/g' /etc/dovecot/conf.d/10-auth.conf - sed -i 's|#auth_ssl_require_client_cert =.*|auth_ssl_require_client_cert = yes|g' /etc/dovecot/conf.d/10-auth.conf - sed -i 's|#auth_ssl_username_from_cert =.*|auth_ssl_username_from_cert = yes|g' /etc/dovecot/conf.d/10-auth.conf - sed -i "s|#ssl_ca =.*|ssl_ca = /etc/ssl/certs/ca-$DEFAULT_DOMAIN_NAME.crt|g" /etc/dovecot/conf.d/10-ssl.conf - sed -i 's|#ssl_cert_username_field =.*|ssl_cert_username_field = commonName|g' /etc/dovecot/conf.d/10-ssl.conf - sed -i 's|#ssl_verify_client_cert =.*|ssl_verify_client_cert = yes|g' /etc/dovecot/conf.d/10-ssl.conf - if ! grep -q "passdb {" /etc/dovecot/conf.d/10-auth.conf; then - echo '' >> /etc/dovecot/conf.d/10-auth.conf - echo 'passdb {' >> /etc/dovecot/conf.d/10-auth.conf - echo ' driver = passwd-file' >> /etc/dovecot/conf.d/10-auth.conf - echo ' args = /etc/dovecot/passwd-file' >> /etc/dovecot/conf.d/10-auth.conf - echo ' deny = no' >> /etc/dovecot/conf.d/10-auth.conf - echo ' master = no' >> /etc/dovecot/conf.d/10-auth.conf - echo ' pass = no' >> /etc/dovecot/conf.d/10-auth.conf - echo '}' >> /etc/dovecot/conf.d/10-auth.conf - fi - if [[ $ONION_ONLY == "no" ]]; then - # make a CA cert - if [ ! -f /etc/ssl/private/ca-$DEFAULT_DOMAIN_NAME.key ]; then - if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then - ${PROJECT_NAME}-addcert -h $DEFAULT_DOMAIN_NAME --ca "" --dhkey $DH_KEYLENGTH - else - ${PROJECT_NAME}-addcert -e $DEFAULT_DOMAIN_NAME -s $LETSENCRYPT_SERVER --ca "" --dhkey $DH_KEYLENGTH --email $MY_EMAIL_ADDRESS - fi - fi - fi - # CA configuration - echo '[ ca ]' > /etc/ssl/dovecot-ca.cnf - echo "default_ca = dovecot-ca" >> /etc/ssl/dovecot-ca.cnf - echo '' >> /etc/ssl/dovecot-ca.cnf - echo '[ crl_ext ]' >> /etc/ssl/dovecot-ca.cnf - echo 'authorityKeyIdentifier=keyid:always' >> /etc/ssl/dovecot-ca.cnf - echo '' >> /etc/ssl/dovecot-ca.cnf - echo '[ dovecot-ca ]' >> /etc/ssl/dovecot-ca.cnf - echo 'new_certs_dir = .' >> /etc/ssl/dovecot-ca.cnf - echo 'unique_subject = no' >> /etc/ssl/dovecot-ca.cnf - echo "certificate = /etc/ssl/certs/ca-$DEFAULT_DOMAIN_NAME.crt" >> /etc/ssl/dovecot-ca.cnf - echo 'database = ssldb' >> /etc/ssl/dovecot-ca.cnf - echo "private_key = /etc/ssl/private/ca-$DEFAULT_DOMAIN_NAME.key" >> /etc/ssl/dovecot-ca.cnf - echo 'serial = sslserial' >> /etc/ssl/dovecot-ca.cnf - echo 'default_days = 3650' >> /etc/ssl/dovecot-ca.cnf - echo 'default_md = sha256' >> /etc/ssl/dovecot-ca.cnf - echo 'default_bits = 4096' >> /etc/ssl/dovecot-ca.cnf - echo 'policy = dovecot-ca_policy' >> /etc/ssl/dovecot-ca.cnf - echo 'x509_extensions = dovecot-ca_extensions' >> /etc/ssl/dovecot-ca.cnf - echo '' >> /etc/ssl/dovecot-ca.cnf - echo '[ dovecot-ca_policy ]' >> /etc/ssl/dovecot-ca.cnf - echo 'commonName = supplied' >> /etc/ssl/dovecot-ca.cnf - echo 'stateOrProvinceName = supplied' >> /etc/ssl/dovecot-ca.cnf - echo 'countryName = supplied' >> /etc/ssl/dovecot-ca.cnf - echo 'emailAddress = optional' >> /etc/ssl/dovecot-ca.cnf - echo 'organizationName = supplied' >> /etc/ssl/dovecot-ca.cnf - echo 'organizationalUnitName = optional' >> /etc/ssl/dovecot-ca.cnf - echo '' >> /etc/ssl/dovecot-ca.cnf - echo '[ dovecot-ca_extensions ]' >> /etc/ssl/dovecot-ca.cnf - echo 'basicConstraints = CA:false' >> /etc/ssl/dovecot-ca.cnf - echo 'subjectKeyIdentifier = hash' >> /etc/ssl/dovecot-ca.cnf - echo 'authorityKeyIdentifier = keyid:always' >> /etc/ssl/dovecot-ca.cnf - echo 'keyUsage = digitalSignature,keyEncipherment' >> /etc/ssl/dovecot-ca.cnf - echo 'extendedKeyUsage = clientAuth' >> /etc/ssl/dovecot-ca.cnf - if [ -f /etc/ssl/ssldb ]; then - rm /etc/ssl/ssldb - fi - if [ -f /etc/ssl/sslserial ]; then - rm /etc/ssl/sslserial - fi - touch /etc/ssl/ssldb - echo 0001 > /etc/ssl/sslserial - #${PROJECT_NAME}-clientcert -u $MY_USERNAME - systemctl restart dovecot - echo 'configure_imap_client_certs' >> $COMPLETION_FILE -} - -function create_gpg_subkey { - if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - if grep -Fxq "create_gpg_subkey" $COMPLETION_FILE; then - return - fi - apt-get -y install gnupg - - GPG_KEY_USAGE=$1 - if [[ $GPG_KEY_USAGE != "sign" && $GPG_KEY_USAGE != "auth" && $GPG_KEY_USAGE != "encrypt" ]]; then - echo $"Unknown subkey usage: $GPG_KEY_USAGE" - echo $'Available types: sign|auth|encrypt' - exit 14783 - fi - - KEYGRIP=$(gpg --fingerprint --fingerprint $MY_EMAIL_ADDRESS | grep fingerprint | tail -1 | cut -d= -f2 | sed -e 's/ //g') - - # Generate a GPG subkey - # Here a 2048bit length is used to be compatible with yubikey - echo 'Key-Type: 1' > /home/$MY_USERNAME/gpg-genkey.conf - echo "Key-Grip: $KEYGRIP" > /home/$MY_USERNAME/gpg-genkey.conf - echo 'Subkey-Type: 1' >> /home/$MY_USERNAME/gpg-genkey.conf - echo 'Subkey-Length: 2048' >> /home/$MY_USERNAME/gpg-genkey.conf - echo "subkey-Usage: $GPG_KEY_USAGE" > /home/$MY_USERNAME/gpg-genkey.conf - echo "Name-Real: $MY_NAME" >> /home/$MY_USERNAME/gpg-genkey.conf - echo "Name-Email: $MY_EMAIL_ADDRESS" >> /home/$MY_USERNAME/gpg-genkey.conf - echo "Name-Comment: $GPG_KEY_USAGE" >> /home/$MY_USERNAME/gpg-genkey.conf - echo 'Expire-Date: 0' >> /home/$MY_USERNAME/gpg-genkey.conf - chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/gpg-genkey.conf - su -c "gpg --batch --gen-key /home/$MY_USERNAME/gpg-genkey.conf" - $MY_USERNAME - shred -zu /home/$MY_USERNAME/gpg-genkey.conf - MY_GPG_SUBKEY_ID=$(su -c "gpg --list-keys $MY_EMAIL_ADDRESS | grep 'pub '" - $MY_USERNAME | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}') - - echo 'create_gpg_subkey' >> $COMPLETION_FILE -} - -function gpg_key_exists { - key_owner_username=$1 - key_search_text=$2 - if [[ $key_owner_username != "root" ]]; then - KEY_EXISTS=$(su -c "gpg --list-keys \"${key_search_text}\"" - $key_owner_username) - else - KEY_EXISTS=$(gpg --list-keys "${key_search_text}") - fi - if [ ! "$KEY_EXISTS" ]; then - echo "no" - return - fi - if [ "$KEY_EXISTS" == *"error"* ]; then - echo "no" - return - fi - echo "yes" -} - -function gpg_pubkey_from_email { - key_owner_username=$1 - key_email_address=$2 - key_id= - if [[ $key_owner_username != "root" ]]; then - key_id=$(su -c "gpg --list-keys $key_email_address | grep 'pub '" - $key_owner_username | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}') - else - key_id=$(gpg --list-keys $key_email_address | grep 'pub ' | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}') - fi - echo $key_id -} - -function configure_gpg { - if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - if grep -Fxq "configure_gpg" $COMPLETION_FILE; then - return - fi - apt-get -y install gnupg - - gpg_dir=/home/$MY_USERNAME/.gnupg - - # if gpg keys directory was previously imported from usb - if [[ $GPG_KEYS_IMPORTED == "yes" && -d $gpg_dir ]]; then - echo $'GPG keys were imported' - sed -i "s|keyserver hkp://keys.gnupg.net|keyserver $GPG_KEYSERVER|g" $gpg_dir/gpg.conf - MY_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$MY_USERNAME" "$MY_EMAIL_ADDRESS") - if [ ${#MY_GPG_PUBLIC_KEY_ID} -lt 4 ]; then - echo $'GPG public key ID could not be obtained' - fi - chown -R $MY_USERNAME:$MY_USERNAME $gpg_dir - chmod 700 $gpg_dir - chmod 600 $gpg_dir/* - echo 'configure_gpg' >> $COMPLETION_FILE - return - fi - - if [ ! -d $gpg_dir ]; then - mkdir $gpg_dir - echo "keyserver $GPG_KEYSERVER" >> $gpg_dir/gpg.conf - echo 'keyserver-options auto-key-retrieve' >> $gpg_dir/gpg.conf - fi - - sed -i "s|keyserver hkp://keys.gnupg.net|keyserver $GPG_KEYSERVER|g" $gpg_dir/gpg.conf - - if ! grep -q "# default preferences" $gpg_dir/gpg.conf; then - echo '' >> $gpg_dir/gpg.conf - echo '# default preferences' >> $gpg_dir/gpg.conf - echo 'personal-digest-preferences SHA256' >> $gpg_dir/gpg.conf - echo 'cert-digest-algo SHA256' >> $gpg_dir/gpg.conf - echo 'default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed' >> $gpg_dir/gpg.conf - fi - - chown -R $MY_USERNAME:$MY_USERNAME $gpg_dir - chmod 700 $gpg_dir - chmod 600 $gpg_dir/* - - if [[ $MY_GPG_PUBLIC_KEY && $MY_GPG_PRIVATE_KEY ]]; then - echo $'Importing GPG keys from file' - echo $"Public key: $MY_GPG_PUBLIC_KEY" - echo $"Private key: $MY_GPG_PRIVATE_KEY" - - # use your existing GPG keys which were exported - if [ ! -f $MY_GPG_PUBLIC_KEY ]; then - echo $"GPG public key file $MY_GPG_PUBLIC_KEY was not found" - exit 2483 - fi - if [ ! -f $MY_GPG_PRIVATE_KEY ]; then - echo $"GPG private key file $MY_GPG_PRIVATE_KEY was not found" - exit 5383 - fi - su -c "gpg --import $MY_GPG_PUBLIC_KEY" - $MY_USERNAME - su -c "gpg --allow-secret-key-import --import $MY_GPG_PRIVATE_KEY" - $MY_USERNAME - KEY_EXISTS=$(gpg_key_exists "$MY_USERNAME" "$MY_EMAIL_ADDRESS") - if [[ $KEY_EXISTS == "no" ]]; then - echo $"The GPG key for $MY_EMAIL_ADDRESS could not be imported" - exit 13821 - fi - - # for security ensure that the private key file doesn't linger around - shred -zu $MY_GPG_PRIVATE_KEY - MY_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$MY_USERNAME" "$MY_EMAIL_ADDRESS") - if [ ${#MY_GPG_PUBLIC_KEY_ID} -lt 4 ]; then - echo $'GPG public key ID could not be obtained' - fi - else - # Generate a GPG key - echo 'Key-Type: 1' > /home/$MY_USERNAME/gpg-genkey.conf - echo 'Key-Length: 4096' >> /home/$MY_USERNAME/gpg-genkey.conf - echo 'Subkey-Type: 1' >> /home/$MY_USERNAME/gpg-genkey.conf - echo 'Subkey-Length: 4096' >> /home/$MY_USERNAME/gpg-genkey.conf - echo "Name-Real: $MY_NAME" >> /home/$MY_USERNAME/gpg-genkey.conf - echo "Name-Email: $MY_EMAIL_ADDRESS" >> /home/$MY_USERNAME/gpg-genkey.conf - echo 'Expire-Date: 0' >> /home/$MY_USERNAME/gpg-genkey.conf - chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/gpg-genkey.conf - echo $'Generating a new GPG key' - su -c "gpg --batch --gen-key /home/$MY_USERNAME/gpg-genkey.conf" - $MY_USERNAME - KEY_EXISTS=$(gpg_key_exists "$MY_USERNAME" "$MY_EMAIL_ADDRESS") - if [[ $KEY_EXISTS == "no" ]]; then - echo $"A GPG key for $MY_EMAIL_ADDRESS could not be created" - exit 6362 - fi - shred -zu /home/$MY_USERNAME/gpg-genkey.conf - MY_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$MY_USERNAME" "$MY_EMAIL_ADDRESS") - if [ ${#MY_GPG_PUBLIC_KEY_ID} -lt 4 ]; then - echo $'GPG public key ID could not be obtained' - fi - MY_GPG_PUBLIC_KEY=/tmp/public_key.gpg - su -c "gpg --output $MY_GPG_PUBLIC_KEY --armor --export $MY_GPG_PUBLIC_KEY_ID" - $MY_USERNAME - - if grep -q "configure_email" $COMPLETION_FILE; then - if ! grep -q $"Change your GPG password" /home/$MY_USERNAME/README; then - echo '' >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - echo $'Change your GPG password' >> /home/$MY_USERNAME/README - echo '========================' >> /home/$MY_USERNAME/README - echo $"It's very important to add a password to your GPG key so that" >> /home/$MY_USERNAME/README - echo $"if anyone does get access to your email they still won't be able" >> /home/$MY_USERNAME/README - echo $'to read them without knowning the GPG password.' >> /home/$MY_USERNAME/README - echo $'You can change the it with:' >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - echo " gpg --edit-key $MY_GPG_PUBLIC_KEY_ID" >> /home/$MY_USERNAME/README - echo ' passwd' >> /home/$MY_USERNAME/README - echo ' save' >> /home/$MY_USERNAME/README - echo ' quit' >> /home/$MY_USERNAME/README - fi - if ! grep -q $"Publish your GPG public key" /home/$MY_USERNAME/README; then - echo '' >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - echo $'Publish your GPG public key' >> /home/$MY_USERNAME/README - echo '===========================' >> /home/$MY_USERNAME/README - echo $'So that others can send emails to you securely you should' >> /home/$MY_USERNAME/README - echo $'publish your GPG public key with the command:' >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - echo " gpg --send-keys $MY_GPG_PUBLIC_KEY_ID" >> /home/$MY_USERNAME/README - fi - chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README - chmod 600 /home/$MY_USERNAME/README - fi - fi - - echo 'configure_gpg' >> $COMPLETION_FILE -} - -function refresh_gpg_keys { - REFRESH_GPG_KEYS_SCRIPT=/usr/bin/update-gpg-keys - echo '#!/bin/bash' > $REFRESH_GPG_KEYS_SCRIPT - echo "if [ -f /usr/local/bin/${PROJECT_NAME}-sec ]; then" >> $REFRESH_GPG_KEYS_SCRIPT - echo " /usr/bin/timeout 600 /usr/local/bin/${PROJECT_NAME}-sec --refresh yes" >> $REFRESH_GPG_KEYS_SCRIPT - echo 'else' >> $REFRESH_GPG_KEYS_SCRIPT - echo " /usr/bin/timeout 600 /usr/bin/${PROJECT_NAME}-sec --refresh yes" >> $REFRESH_GPG_KEYS_SCRIPT - echo 'fi' >> $REFRESH_GPG_KEYS_SCRIPT - chmod +x $REFRESH_GPG_KEYS_SCRIPT - - if grep -q "${PROJECT_NAME}-sec" /etc/crontab; then - sed -i "/${PROJECT_NAME}-sec /d" /etc/crontab - fi - if ! grep -q "$REFRESH_GPG_KEYS_SCRIPT" /etc/crontab; then - GPG_REFRESH_TIME=$(( RANDOM % 60 )) - echo "$GPG_REFRESH_TIME */$REFRESH_GPG_KEYS_HOURS * * * root cronic $REFRESH_GPG_KEYS_SCRIPT" >> /etc/crontab - systemctl restart cron - else - sed -i "s|root $REFRESH_GPG_KEYS_SCRIPT.*|root cronic $REFRESH_GPG_KEYS_SCRIPT|g" /etc/crontab - fi -} - -function configure_backup_key { - if grep -Fxq "configure_backup_key" $COMPLETION_FILE; then - return - fi - apt-get -y install gnupg - - BACKUP_KEY_EXISTS=$(gpg_key_exists "root" "$MY_NAME (backup key)") - if [[ $BACKUP_KEY_EXISTS == "yes" ]]; then - return - fi - - # Generate a GPG key for backups - BACKUP_KEY_EXISTS=$(gpg_key_exists "$MY_USERNAME" "$MY_NAME (backup key)") - if [[ $BACKUP_KEY_EXISTS == "no" ]]; then - echo 'Key-Type: 1' > /home/$MY_USERNAME/gpg-genkey.conf - echo 'Key-Length: 4096' >> /home/$MY_USERNAME/gpg-genkey.conf - echo 'Subkey-Type: 1' >> /home/$MY_USERNAME/gpg-genkey.conf - echo 'Subkey-Length: 4096' >> /home/$MY_USERNAME/gpg-genkey.conf - echo "Name-Real: $MY_NAME" >> /home/$MY_USERNAME/gpg-genkey.conf - echo "Name-Email: $MY_EMAIL_ADDRESS" >> /home/$MY_USERNAME/gpg-genkey.conf - echo "Name-Comment: backup key" >> /home/$MY_USERNAME/gpg-genkey.conf - echo 'Expire-Date: 0' >> /home/$MY_USERNAME/gpg-genkey.conf - chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/gpg-genkey.conf - echo $'Backup key does not exist. Creating it.' - su -c "gpg --batch --gen-key /home/$MY_USERNAME/gpg-genkey.conf" - $MY_USERNAME - shred -zu /home/$MY_USERNAME/gpg-genkey.conf - echo $'Checking that the Backup key was created' - BACKUP_KEY_EXISTS=$(gpg_key_exists "$MY_USERNAME" "$MY_NAME (backup key)") - if [[ $BACKUP_KEY_EXISTS == "no" ]]; then - echo $'Backup key could not be created' - exit 43382 - fi - fi - MY_BACKUP_KEY_ID=$(su -c "gpg --list-keys \"$MY_NAME (backup key)\" | grep 'pub '" - $MY_USERNAME | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}') - echo "Backup key: $MY_BACKUP_KEY_ID" - MY_BACKUP_KEY=/home/$MY_USERNAME/backup_key - su -c "gpg --output ${MY_BACKUP_KEY}_public.asc --armor --export $MY_BACKUP_KEY_ID" - $MY_USERNAME - su -c "gpg --output ${MY_BACKUP_KEY}_private.asc --armor --export-secret-key $MY_BACKUP_KEY_ID" - $MY_USERNAME - if [ ! -f ${MY_BACKUP_KEY}_public.asc ]; then - echo 'Public backup key could not be exported' - exit 36829 - fi - if [ ! -f ${MY_BACKUP_KEY}_private.asc ]; then - echo 'Private backup key could not be exported' - exit 29235 - fi - - # import backup key to root user - gpg --import --import ${MY_BACKUP_KEY}_public.asc - gpg --allow-secret-key-import --import ${MY_BACKUP_KEY}_private.asc - - shred -zu ${MY_BACKUP_KEY}_public.asc - shred -zu ${MY_BACKUP_KEY}_private.asc - - echo 'configure_backup_key' >> $COMPLETION_FILE -} - -function install_monkeysphere { - if grep -Fxq "install_monkeysphere" $COMPLETION_FILE; then - return - fi - apt-get -y install monkeysphere msva-perl - #su -c "monkeysphere gen-subkey $MY_GPG_PUBLIC_KEY_ID" - $MY_USERNAME - mkdir /home/$MY_USERNAME/.monkeysphere - chmod 755 /home/$MY_USERNAME/.monkeysphere - echo "$MY_NAME <${MY_EMAIL_ADDRESS}>" > /home/$MY_USERNAME/.monkeysphere/authorized_user_ids - chmod 644 /home/$MY_USERNAME/.monkeysphere/authorized_user_ids - chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.monkeysphere - monkeysphere-authentication update-users - - if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then - echo $'monkeysphere import: ssh host key not found' - exit 76295 - fi - monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$DEFAULT_DOMAIN_NAME - SSH_ONION_HOSTNAME=$(cat ${COMPLETION_FILE} | grep 'ssh onion domain' | awk -F ':' '{print $2}') - monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$SSH_ONION_HOSTNAME - - if [ ! $MY_GPG_PUBLIC_KEY_ID ]; then - MY_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$MY_USERNAME" "$MY_USERNAME@$HOSTNAME") - if [ ${#MY_GPG_PUBLIC_KEY_ID} -lt 4 ]; then - echo $'monkeysphere unable to get GPG key ID for user $MY_USERNAME' - exit 52825 - fi - fi - # The admin user is the identity certifier - fpr=$(gpg --with-colons --fingerprint $MY_GPG_PUBLIC_KEY_ID | grep fpr | head -n 1 | awk -F ':' '{print $10}') - monkeysphere-authentication add-identity-certifier $fpr - - echo 'install_monkeysphere' >> $COMPLETION_FILE -} - -function encrypt_incoming_email { - # encrypts incoming mail using your GPG public key - # so even if an attacker gains access to the data at rest they still need - # to know your GPG key password to be able to read anything - if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - - # update to the next commit - set_repo_commit $INSTALL_DIR/gpgit "gpgit commit" "$GPGIT_COMMIT" $GPGIT_REPO - - if grep -Fxq "encrypt_incoming_email" $COMPLETION_FILE; then - return - fi - - if [[ $GPG_ENCRYPT_STORED_EMAIL != "yes" ]]; then - return - fi - - if [ ! -f /usr/bin/gpgit.pl ]; then - apt-get -y install git libmail-gnupg-perl - cd $INSTALL_DIR - git_clone $GPGIT_REPO $INSTALL_DIR/gpgit - cd $INSTALL_DIR/gpgit - git checkout $GPGIT_COMMIT -b $GPGIT_COMMIT - if ! grep -q "gpgit commit" $COMPLETION_FILE; then - echo "gpgit commit:$GPGIT_COMMIT" >> $COMPLETION_FILE - else - sed -i "s/gpgit commit.*/gpgit commit:$GPGIT_COMMIT/g" $COMPLETION_FILE - fi - cp gpgit.pl /usr/bin - fi - - # add a procmail rule - if ! grep -q "/usr/bin/gpgit.pl" /home/$MY_USERNAME/.procmailrc; then - echo '' >> /home/$MY_USERNAME/.procmailrc - echo ':0 f' >> /home/$MY_USERNAME/.procmailrc - echo "| /usr/bin/gpgit.pl --encrypt-mode prefer-inline --inline-flatten $MY_EMAIL_ADDRESS" >> /home/$MY_USERNAME/.procmailrc - chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.procmailrc - echo '' >> /etc/skel/.procmailrc - echo ':0 f' >> /etc/skel/.procmailrc - echo -n '| /usr/bin/gpgit.pl --encrypt-mode prefer-inline --inline-flatten $USER@' >> /etc/skel/.procmailrc - echo "$DEFAULT_DOMAIN_NAME" >> /etc/skel/.procmailrc - fi - echo 'encrypt_incoming_email' >> $COMPLETION_FILE -} - -function encrypt_outgoing_email { - # encrypts outgoing mail using your GPG public key - # so even if an attacker gains access to the data at rest they still need - # to know your GPG key password to be able to read sent mail - if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - if grep -Fxq "encrypt_outgoing_email" $COMPLETION_FILE; then - return - fi - if [[ $GPG_ENCRYPT_STORED_EMAIL != "yes" ]]; then - return - fi - - if [ ! -d /home/$MY_USERNAME/.gnupg ]; then - return - fi - - if [ ! -f /home/$MY_USERNAME/.muttrc ]; then - return - fi - - # obtain your public key ID - if [ ! $MY_GPG_PUBLIC_KEY_ID ]; then - MY_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$MY_USERNAME" "$MY_EMAIL_ADDRESS") - if [ ! "$MY_GPG_PUBLIC_KEY_ID" ]; then - return - fi - if [ ${#MY_GPG_PUBLIC_KEY_ID} -lt 4 ]; then - return - fi - fi - - if ! grep -q "pgp_encrypt_only_command" /home/$MY_USERNAME/.muttrc; then - echo '' >> /home/$MY_USERNAME/.muttrc - echo $'# Encrypt items in the Sent folder' >> /home/$MY_USERNAME/.muttrc - echo "set pgp_encrypt_only_command=\"/usr/lib/mutt/pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --always-trust --encrypt-to 0x$MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"" >> /home/$MY_USERNAME/.muttrc - else - sed -i "s|set pgp_encrypt_only_command.*|set pgp_encrypt_only_command=\"/usr/lib/mutt/pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --always-trust --encrypt-to 0x$MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"|g" /home/$MY_USERNAME/.muttrc - fi - - if ! grep -q "pgp_encrypt_sign_command" /home/$MY_USERNAME/.muttrc; then - echo "set pgp_encrypt_sign_command=\"/usr/lib/mutt/pgpewrap gpg %?p?--passphrase-fd 0? --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --always-trust --encrypt-to 0x$MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"" >> /home/$MY_USERNAME/.muttrc - else - sed -i "s|set pgp_encrypt_sign_command.*|set pgp_encrypt_sign_command=\"/usr/lib/mutt/pgpewrap gpg %?p?--passphrase-fd 0? --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --always-trust --encrypt-to 0x$MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"|g" /home/$MY_USERNAME/.muttrc - fi - - echo 'encrypt_outgoing_email' >> $COMPLETION_FILE -} - -function encrypt_all_email { - if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - if [[ $GPG_ENCRYPT_STORED_EMAIL != "yes" ]]; then - return - fi - - if [ -f /usr/local/bin/${PROJECT_NAME}-encrypt-mail ]; then - cp /usr/local/bin/${PROJECT_NAME}-encrypt-mail /usr/bin/encmaildir - else - cp /usr/bin/${PROJECT_NAME}-encrypt-mail /usr/bin/encmaildir - fi - chmod +x /usr/bin/encmaildir - - if grep -Fxq "encrypt_all_email" $COMPLETION_FILE; then - return - fi - - if [ ! /home/$MY_USERNAME/README ]; then - touch /home/$MY_USERNAME/README - fi - if ! grep -q $"If you have imported legacy email which is not encrypted" /home/$MY_USERNAME/README; then - echo '' >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - echo $'Encrypting legacy email' >> /home/$MY_USERNAME/README - echo '=======================' >> /home/$MY_USERNAME/README - echo $'If you have imported legacy email which is not encrypted' >> /home/$MY_USERNAME/README - echo $'then it can be encrypted with the command:' >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - echo ' encmaildir' >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - echo $'But be warned that depending upon how much email you have' >> /home/$MY_USERNAME/README - echo $'this could take a seriously LONG time on the Beaglebone' >> /home/$MY_USERNAME/README - echo $'and may be better done on a faster machine.' >> /home/$MY_USERNAME/README - chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README - chmod 600 /home/$MY_USERNAME/README - fi - - echo 'encrypt_all_email' >> $COMPLETION_FILE -} - -function email_client { - if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - if grep -Fxq "email_client" $COMPLETION_FILE; then - return - fi - apt-get -y install mutt-patched lynx abook - - if [ ! -f /etc/Muttrc ]; then - echo $"ERROR: Mutt does not appear to have installed. $CHECK_MESSAGE" - exit 49 - fi - - if [ ! -d /home/$MY_USERNAME/.mutt ]; then - mkdir /home/$MY_USERNAME/.mutt - fi - echo "text/html; lynx -dump -width=78 -nolist %s | sed ‘s/^ //’; copiousoutput; needsterminal; nametemplate=%s.html" > /home/$MY_USERNAME/.mutt/mailcap - cp /home/$MY_USERNAME/.mutt/mailcap /etc/skel/.mutt - chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.mutt - chown -R root:root /etc/skel/.mutt - - echo 'set mbox_type=Maildir' >> /etc/Muttrc - echo 'set folder="~/Maildir"' >> /etc/Muttrc - echo 'set mask="!^\\.[^.]"' >> /etc/Muttrc - echo 'set mbox="~/Maildir"' >> /etc/Muttrc - echo 'set record="+Sent"' >> /etc/Muttrc - echo 'set postponed="+Drafts"' >> /etc/Muttrc - echo 'set trash="+Trash"' >> /etc/Muttrc - echo 'set spoolfile="~/Maildir"' >> /etc/Muttrc - echo 'auto_view text/x-vcard text/html text/enriched' >> /etc/Muttrc - echo 'set editor="emacs -q --load ~/.emacs-mutt"' >> /etc/Muttrc - echo 'set header_cache="+.cache"' >> /etc/Muttrc - echo '' >> /etc/Muttrc - echo 'macro index S "=.learn-spam" "move to learn-spam"' >> /etc/Muttrc - echo 'macro pager S "=.learn-spam" "move to learn-spam"' >> /etc/Muttrc - echo 'macro index H "=.learn-ham" "copy to learn-ham"' >> /etc/Muttrc - echo 'macro pager H "=.learn-ham" "copy to learn-ham"' >> /etc/Muttrc - echo '' >> /etc/Muttrc - echo '# set up the sidebar' >> /etc/Muttrc - echo 'set sidebar_width=22' >> /etc/Muttrc - echo 'set sidebar_visible=yes' >> /etc/Muttrc - echo "set sidebar_delim='|'" >> /etc/Muttrc - echo 'set sidebar_sort=yes' >> /etc/Muttrc - echo '' >> /etc/Muttrc - echo 'set rfc2047_parameters' >> /etc/Muttrc - echo '' >> /etc/Muttrc - echo '# Show inbox and sent items' >> /etc/Muttrc - echo 'mailboxes = =Sent =maybe-spam =spam' >> /etc/Muttrc - echo '' >> /etc/Muttrc - echo '# Alter these colours as needed for maximum bling' >> /etc/Muttrc - echo 'color sidebar_new yellow default' >> /etc/Muttrc - echo 'color normal white default' >> /etc/Muttrc - echo 'color hdrdefault brightcyan default' >> /etc/Muttrc - echo 'color signature green default' >> /etc/Muttrc - echo 'color attachment brightyellow default' >> /etc/Muttrc - echo 'color quoted green default' >> /etc/Muttrc - echo 'color quoted1 white default' >> /etc/Muttrc - echo 'color tilde blue default' >> /etc/Muttrc - echo '' >> /etc/Muttrc - echo '# ctrl-n, ctrl-p to select next, prev folder' >> /etc/Muttrc - echo '# ctrl-o to open selected folder' >> /etc/Muttrc - echo 'bind index \Cp sidebar-prev' >> /etc/Muttrc - echo 'bind index \Cn sidebar-next' >> /etc/Muttrc - echo 'bind index \Co sidebar-open' >> /etc/Muttrc - echo 'bind pager \Cp sidebar-prev' >> /etc/Muttrc - echo 'bind pager \Cn sidebar-next' >> /etc/Muttrc - echo 'bind pager \Co sidebar-open' >> /etc/Muttrc - echo '' >> /etc/Muttrc - echo '# ctrl-b toggles sidebar visibility' >> /etc/Muttrc - echo "macro index,pager \Cb 'toggle sidebar_visible' 'toggle sidebar'" >> /etc/Muttrc - echo '' >> /etc/Muttrc - echo '# esc-m Mark new messages as read' >> /etc/Muttrc - echo 'macro index m "T~N;WNT~O;WO\CT~T" "mark all messages read"' >> /etc/Muttrc - echo '' >> /etc/Muttrc - echo '# Collapsing threads' >> /etc/Muttrc - echo 'macro index [ "" "collapse/uncollapse thread"' >> /etc/Muttrc - echo 'macro index ] "" "collapse/uncollapse all threads"' >> /etc/Muttrc - echo '' >> /etc/Muttrc - echo '# threads containing new messages' >> /etc/Muttrc - echo 'uncolor index "~(~N)"' >> /etc/Muttrc - echo 'color index brightblue default "~(~N)"' >> /etc/Muttrc - echo '' >> /etc/Muttrc - echo '# new messages themselves' >> /etc/Muttrc - echo 'uncolor index "~N"' >> /etc/Muttrc - echo 'color index brightyellow default "~N"' >> /etc/Muttrc - echo '' >> /etc/Muttrc - echo '# GPG/PGP integration' >> /etc/Muttrc - echo '# this set the number of seconds to keep in memory the passphrase used to encrypt/sign' >> /etc/Muttrc - echo 'set pgp_timeout=1800' >> /etc/Muttrc - echo '' >> /etc/Muttrc - echo '# automatically sign and encrypt with PGP/MIME' >> /etc/Muttrc - echo 'set pgp_autosign # autosign all outgoing mails' >> /etc/Muttrc - echo 'set pgp_autoencrypt # Try to encrypt automatically' >> /etc/Muttrc - echo 'set pgp_replyencrypt # autocrypt replies to crypted' >> /etc/Muttrc - echo 'set pgp_replysign # autosign replies to signed' >> /etc/Muttrc - echo 'set pgp_auto_decode=yes # decode attachments' >> /etc/Muttrc - echo 'set fcc_clear=no # Keep encrypted copy of sent encrypted mail' >> /etc/Muttrc - echo 'unset smime_is_default' >> /etc/Muttrc - echo '' >> /etc/Muttrc - echo 'set alias_file=~/.mutt-alias' >> /etc/Muttrc - echo 'source ~/.mutt-alias' >> /etc/Muttrc - echo 'set query_command= "abook --mutt-query \"%s\""' >> /etc/Muttrc - echo 'macro index,pager A "abook --add-email-quiet" "add the sender address to abook"' >> /etc/Muttrc - echo '' >> /etc/Muttrc - echo '# Optional relay of SMTP via ISP' >> /etc/Muttrc - echo '#set smtp_url="smtps://username:password@isp_mail_domain:465/"' >> /etc/Muttrc - - # create an Emacs configuration specifically for use with Mutt, which - # has word wrap and spell checking on by default - echo "(add-hook 'before-save-hook 'delete-trailing-whitespace)" > /home/$MY_USERNAME/.emacs-mutt - echo '(setq org-support-shift-select t)' >> /home/$MY_USERNAME/.emacs-mutt - echo '(setq standard-indent 4)' >> /home/$MY_USERNAME/.emacs-mutt - echo '(setq-default tab-width 4)' >> /home/$MY_USERNAME/.emacs-mutt - echo '(setq c-basic-offset 4)' >> /home/$MY_USERNAME/.emacs-mutt - echo '(mouse-wheel-mode t)' >> /home/$MY_USERNAME/.emacs-mutt - echo '(setq make-backup-files t)' >> /home/$MY_USERNAME/.emacs-mutt - echo '(setq version-control t)' >> /home/$MY_USERNAME/.emacs-mutt - echo '(setq backup-directory-alist (quote ((".*" . "~/.emacs_backups/"))))' >> /home/$MY_USERNAME/.emacs-mutt - echo "(setq default-major-mode 'text-mode)" >> /home/$MY_USERNAME/.emacs-mutt - echo "(dolist (hook '(text-mode-hook))" >> /home/$MY_USERNAME/.emacs-mutt - echo ' (add-hook hook (lambda () (flyspell-mode 1))))' >> /home/$MY_USERNAME/.emacs-mutt - echo '(setq-default fill-column 72)' >> /home/$MY_USERNAME/.emacs-mutt - echo '(setq auto-fill-mode 0)' >> /home/$MY_USERNAME/.emacs-mutt - echo "(add-hook 'text-mode-hook 'turn-on-auto-fill)" >> /home/$MY_USERNAME/.emacs-mutt - echo "(setq-default auto-fill-function 'do-auto-fill)" >> /home/$MY_USERNAME/.emacs-mutt - - # add the emacs mutt configuration to the user profile skeleton - if [ ! -f /etc/skel/.emacs-mutt ]; then - cp /home/$MY_USERNAME/.emacs-mutt /etc/skel/.emacs-mutt - chown root:root /etc/skel/.emacs-mutt - fi - - cp -f /etc/Muttrc /home/$MY_USERNAME/.muttrc - cp -f /etc/Muttrc /etc/skel/.muttrc - touch /home/$MY_USERNAME/.mutt-alias - cp /home/$MY_USERNAME/.mutt-alias /etc/skel/.mutt-alias - chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.emacs-mutt - chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.muttrc - chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.mutt-alias - - # default user on generic images - if [ -d /home/${GENERIC_IMAGE_USERNAME} ]; then - cp -f /etc/Muttrc /home/${GENERIC_IMAGE_USERNAME}/.muttrc - chown ${GENERIC_IMAGE_USERNAME}:${GENERIC_IMAGE_USERNAME} /home/${GENERIC_IMAGE_USERNAME}/.muttrc - touch /home/${GENERIC_IMAGE_USERNAME}/.mutt-alias - chown ${GENERIC_IMAGE_USERNAME}:${GENERIC_IMAGE_USERNAME} /home/${GENERIC_IMAGE_USERNAME}/.mutt-alias - cp /etc/skel/.emacs-mutt /home/${GENERIC_IMAGE_USERNAME}/.emacs-mutt - chown ${GENERIC_IMAGE_USERNAME}:${GENERIC_IMAGE_USERNAME} /home/${GENERIC_IMAGE_USERNAME}/.emacs-mutt - fi - - echo 'email_client' >> $COMPLETION_FILE -} - -function email_archiving { - if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - - # ensure that the mail archive script is up to date - if [ -f /usr/local/bin/${PROJECT_NAME}-archive-mail ]; then - cp /usr/local/bin/${PROJECT_NAME}-archive-mail /etc/cron.daily/archivemail - else - if [ -f /usr/bin/${PROJECT_NAME}-archive-mail ]; then - cp /usr/bin/${PROJECT_NAME}-archive-mail /etc/cron.daily/archivemail - else - echo "/usr/bin/${PROJECT_NAME}-archive-mail was not found. ${PROJECT_NAME} might not have fully installed." - exit 62379 - fi - fi - chmod +x /etc/cron.daily/archivemail - - # update to the next commit - set_repo_commit $INSTALL_DIR/cleanup-maildir "cleanup-maildir commit" "$CLEANUP_MAILDIR_COMMIT" $CLEANUP_MAILDIR_REPO - - if grep -Fxq "email_archiving" $COMPLETION_FILE; then - return - fi - - if [ ! -d $INSTALL_DIR ]; then - mkdir $INSTALL_DIR - fi - cd $INSTALL_DIR - git_clone $CLEANUP_MAILDIR_REPO $INSTALL_DIR/cleanup-maildir - cd $INSTALL_DIR/cleanup-maildir - git checkout $CLEANUP_MAILDIR_COMMIT -b $CLEANUP_MAILDIR_COMMIT - if ! grep -q "cleanup-maildir commit" $COMPLETION_FILE; then - echo "cleanup-maildir commit:$CLEANUP_MAILDIR_COMMIT" >> $COMPLETION_FILE - else - sed -i "s/cleanup-maildir commit.*/cleanup-maildir commit:$CLEANUP_MAILDIR_COMMIT/g" $COMPLETION_FILE - fi - - cp $INSTALL_DIR/cleanup-maildir/cleanup-maildir /usr/bin - - echo 'email_archiving' >> $COMPLETION_FILE -} - -# Ensure that the from field is correct when sending email from Mutt -function email_from_address { - if grep -Fxq "email_from_address" $COMPLETION_FILE; then - return - fi - - if [ ! -f /home/$MY_USERNAME/.muttrc ]; then - return - fi - if grep -q "set from=" /home/$MY_USERNAME/.muttrc; then - sed -i "s|set from=.*|set from='$MY_NAME <$MY_EMAIL_ADDRESS>'|g" /home/$MY_USERNAME/.muttrc - else - echo "set from='$MY_NAME <$MY_EMAIL_ADDRESS>'" >> /home/$MY_USERNAME/.muttrc - fi - - echo 'email_from_address' >> $COMPLETION_FILE -} - -function create_public_mailing_list { - if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - if grep -Fxq "create_public_mailing_list" $COMPLETION_FILE; then - return - fi - if [ ! $PUBLIC_MAILING_LIST ]; then - return - fi - # does the mailing list have a separate domain name? - if [ ! $PUBLIC_MAILING_LIST_DOMAIN_NAME ]; then - PUBLIC_MAILING_LIST_DOMAIN_NAME=$DEFAULT_DOMAIN_NAME - fi - - PUBLIC_MAILING_LIST_USER="mlmmj" - - apt-get -y install mlmmj - adduser --system $PUBLIC_MAILING_LIST_USER - addgroup $PUBLIC_MAILING_LIST_USER - adduser $PUBLIC_MAILING_LIST_USER $PUBLIC_MAILING_LIST_USER - - echo '' - echo $"Creating the $PUBLIC_MAILING_LIST mailing list" - echo '' - - # create the list - mlmmj-make-ml -a -L "$PUBLIC_MAILING_LIST" -c $PUBLIC_MAILING_LIST_USER - - echo 'SYSTEM_ALIASES_PIPE_TRANSPORT = address_pipe' > /etc/exim4/conf.d/main/000_localmacros - echo "SYSTEM_ALIASES_USER = $PUBLIC_MAILING_LIST_USER" >> /etc/exim4/conf.d/main/000_localmacros - echo "SYSTEM_ALIASES_GROUP = $PUBLIC_MAILING_LIST_USER" >> /etc/exim4/conf.d/main/000_localmacros - - # router - echo 'mlmmj_router:' > /etc/exim4/conf.d/router/750_exim4-config_mlmmj - echo ' debug_print = "R: mlmmj_router for $local_part@$domain"' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj - echo ' driver = accept' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj - echo ' domains = +mlmmj_domains' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj - echo ' #require_files = MLMMJ_HOME/${lc::$local_part}' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj - echo ' # Use this instead, if you dont want to give Exim rx rights to mlmmj spool.' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj - echo ' # Exim will then spawn a new process running under the UID of "mlmmj".' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj - echo ' require_files = mlmmj:MLMMJ_HOME/${lc::$local_part}' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj - echo ' local_part_suffix = +*' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj - echo ' local_part_suffix_optional' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj - echo ' headers_remove = Delivered-To' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj - echo ' headers_add = Delivered-To: $local_part$local_part_suffix@$domain' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj - echo ' transport = mlmmj_transport' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj - - # transport - echo 'mlmmj_transport:' > /etc/exim4/conf.d/transport/40_exim4-config_mlmmj - echo ' debug_print = "T: mlmmj_transport for $local_part@$domain"' >> /etc/exim4/conf.d/transport/40_exim4-config_mlmmj - echo ' driver = pipe' >> /etc/exim4/conf.d/transport/40_exim4-config_mlmmj - echo ' return_path_add' >> /etc/exim4/conf.d/transport/40_exim4-config_mlmmj - echo ' user = mlmmj' >> /etc/exim4/conf.d/transport/40_exim4-config_mlmmj - echo ' group = mlmmj' >> /etc/exim4/conf.d/transport/40_exim4-config_mlmmj - echo ' home_directory = MLMMJ_HOME' >> /etc/exim4/conf.d/transport/40_exim4-config_mlmmj - echo ' current_directory = MLMMJ_HOME' >> /etc/exim4/conf.d/transport/40_exim4-config_mlmmj - echo ' command = /usr/bin/mlmmj-receive -F -L MLMMJ_HOME/${lc:$local_part}' >> /etc/exim4/conf.d/transport/40_exim4-config_mlmmj - - if ! grep -q "MLMMJ_HOME=/var/spool/mlmmj" /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs; then - sed -i '/MAIN CONFIGURATION SETTINGS/a\MLMMJ_HOME=/var/spool/mlmmj' /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs - fi - if ! grep -q "domainlist mlmmj_domains =" /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs; then - sed -i "/MLMMJ_HOME/a\domainlist mlmmj_domains = $PUBLIC_MAILING_LIST_DOMAIN_NAME" /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs - fi - - - if ! grep -q "delay_warning_condition =" /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs; then - sed -i '/domainlist mlmmj_domains =/a\delay_warning_condition = ${if match_domain{$domain}{+mlmmj_domains}{no}{yes}}' /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs - fi - if ! grep -q ": +mlmmj_domains" /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs; then - sed -i 's/domainlist relay_to_domains = MAIN_RELAY_TO_DOMAINS/domainlist relay_to_domains = MAIN_RELAY_TO_DOMAINS : +mlmmj_domains/g' /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs - fi - - if ! grep -q "! +mlmmj_domains" /etc/exim4/conf.d/router/200_exim4-config_primary; then - sed -i 's/domains = ! +local_domains/domains = ! +mlmmj_domains : ! +local_domains/g' /etc/exim4/conf.d/router/200_exim4-config_primary - fi - update-exim4.conf.template -r - update-exim4.conf - systemctl restart exim4 - - if ! grep -q $"$PUBLIC_MAILING_LIST mailing list" /home/$MY_USERNAME/README; then - echo '' >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - echo $"$PUBLIC_MAILING_LIST mailing list" >> /home/$MY_USERNAME/README - echo '=================================' >> /home/$MY_USERNAME/README - echo $"To subscribe to the $PUBLIC_MAILING_LIST mailing list send a" >> /home/$MY_USERNAME/README - echo $"cleartext email to $PUBLIC_MAILING_LIST+subscribe@$DEFAULT_DOMAIN_NAME" >> /home/$MY_USERNAME/README - chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README - chmod 600 /home/$MY_USERNAME/README - fi - - ${PROJECT_NAME}-addlist -u $MY_USERNAME -l "$PUBLIC_MAILING_LIST" -s "$PUBLIC_MAILING_LIST" - - echo 'create_public_mailing_list' >> $COMPLETION_FILE -} - -function create_private_mailing_list { - if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - # This installation doesn't work, results in ruby errors - # There is currently no schleuder package for Debian jessie - if grep -Fxq "create_private_mailing_list" $COMPLETION_FILE; then - return - fi - if [ ! $PRIVATE_MAILING_LIST ]; then - return - fi - if [[ $PRIVATE_MAILING_LIST == $MY_USERNAME ]]; then - echo $'The name of the private mailing list should not be the same as your username' - exit 10 - fi - if [ ! $MY_GPG_PUBLIC_KEY ]; then - echo $'To create a private mailing list you need to specify a file' - echo $'containing your exported GPG key within MY_GPG_PUBLIC_KEY at' - echo $'the top of the script' - exit 11 - fi - apt-get -y install ruby ruby-dev ruby-gpgme libgpgme11-dev libmagic-dev - gem install schleuder - schleuder-fix-gem-dependencies - schleuder-init-setup --gem - # NOTE: this is version number sensitive and so might need changing - ln -s /var/lib/gems/2.1.0/gems/schleuder-2.2.4 /var/lib/schleuder - sed -i 's/#smtp_port: 25/smtp_port: 465/g' /etc/schleuder/schleuder.conf - sed -i 's/#superadminaddr: root@localhost/superadminaddr: root@localhost' /etc/schleuder/schleuder.conf - schleuder-newlist $PRIVATE_MAILING_LIST@$DEFAULT_DOMAIN_NAME -realname "$PRIVATE_MAILING_LIST" -adminaddress $MY_EMAIL_ADDRESS -initmember $MY_EMAIL_ADDRESS -initmemberkey $MY_GPG_PUBLIC_KEY -nointeractive - ${PROJECT_NAME}-addemail -u $MY_USERNAME -e $PRIVATE_MAILING_LIST@$DEFAULT_DOMAIN_NAME -l $PRIVATE_MAILING_LIST - - echo 'schleuder:' > /etc/exim4/conf.d/router/550_exim4-config_schleuder - echo ' debug_print = "R: schleuder for $local_part@$domain"' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder - echo ' driver = accept' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder - echo ' local_part_suffix_optional' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder - echo ' local_part_suffix = +* : -bounce : -sendkey' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder - echo ' domains = +local_domains' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder - echo ' user = schleuder' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder - echo ' group = schleuder' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder - echo ' require_files = schleuder:+/var/lib/schleuder/$domain/${local_part}' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder - echo ' transport = schleuder_transport' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder - - echo 'schleuder_transport:' > /etc/exim4/conf.d/transport/30_exim4-config_schleuder - echo ' debug_print = "T: schleuder_transport for $local_part@$domain"' >> /etc/exim4/conf.d/transport/30_exim4-config_schleuder - echo ' driver = pipe' >> /etc/exim4/conf.d/transport/30_exim4-config_schleuder - echo ' home_directory = "/var/lib/schleuder/$domain/$local_part"' >> /etc/exim4/conf.d/transport/30_exim4-config_schleuder - echo ' command = "/usr/bin/schleuder $local_part@$domain"' >> /etc/exim4/conf.d/transport/30_exim4-config_schleuder - chown -R schleuder:schleuder /var/lib/schleuder - update-exim4.conf.template -r - update-exim4.conf - systemctl restart exim4 - useradd -d /var/schleuderlists -s /bin/false schleuder - adduser Debian-exim schleuder - usermod -a -G mail schleuder - #exim -d -bt $PRIVATE_MAILING_LIST@$DEFAULT_DOMAIN_NAME - echo 'create_private_mailing_list' >> $COMPLETION_FILE -} - -function split_gpg_key_into_fragments { - # split the gpg key into fragments if social key management is enabled - if [[ $ENABLE_SOCIAL_KEY_MANAGEMENT == "yes" ]]; then - echo 'Splitting GPG key. You may need to enter your passphrase.' - ${PROJECT_NAME}-splitkey -u $MY_USERNAME -e $MY_EMAIL_ADDRESS --fullname "$MY_NAME" - if [ ! -d /home/$MY_USERNAME/.gnupg_fragments ]; then - echo 'Yhe GPG key could not be split' - exit 86548 - fi - fi -} - -function import_email { - if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - EMAIL_COMPLETE_MSG=$" - *** ${PROJECT_NAME} mailbox installation is complete *** - - Now on your internet router forward ports - 25, 587, 465, 993 and 2222 to the ${PROJECT_NAME} -" - if grep -Fxq "import_email" $COMPLETION_FILE; then - if [[ $SYSTEM_TYPE == "$VARIANT_MAILBOX" ]]; then - backup_to_friends_servers - intrusion_detection - split_gpg_key_into_fragments - clear - echo '' - echo "$EMAIL_COMPLETE_MSG" - if [ -d $USB_MOUNT ]; then - umount $USB_MOUNT - rm -rf $USB_MOUNT - echo $' You can now remove the USB drive' - fi - exit 0 - fi - return - fi - if [ $IMPORT_MAILDIR ]; then - if [ -d $IMPORT_MAILDIR ]; then - echo $'Transfering email files' - cp -r $IMPORT_MAILDIR /home/$MY_USERNAME - chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/Maildir - else - echo $"Email import directory $IMPORT_MAILDIR not found" - exit 9 - fi - fi - echo 'import_email' >> $COMPLETION_FILE - if [[ $SYSTEM_TYPE == "$VARIANT_MAILBOX" ]]; then - backup_to_friends_servers - intrusion_detection - split_gpg_key_into_fragments - # unmount any attached usb drive - clear - echo '' - echo "$EMAIL_COMPLETE_MSG" - echo '' - if [ -d $USB_MOUNT ]; then - umount $USB_MOUNT - rm -rf $USB_MOUNT - echo $' You can now remove the USB drive' - fi - exit 0 - fi -} - -function install_web_server { - if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" ]]; then - return - fi - - # update to the next commit - set_repo_commit $INSTALL_DIR/nginx_ensite "Nginx-ensite commit" "$NGINX_ENSITE_COMMIT" $NGINX_ENSITE_REPO - - if grep -Fxq "install_web_server" $COMPLETION_FILE; then - return - fi - # remove apache - apt-get -y remove --purge apache2 - if [ -d /etc/apache2 ]; then - rm -rf /etc/apache2 - fi - # install nginx - apt-get -y install nginx php5-fpm git - - # limit the number of php processes - sed -i 's/; process.max =.*/process.max = 32/g' /etc/php5/fpm/php-fpm.conf - #sed -i 's/;process_control_timeout =.*/process_control_timeout = 300/g' /etc/php5/fpm/php-fpm.conf - - if ! grep -q "pm.max_children" /etc/php5/fpm/php-fpm.conf; then - echo 'pm.max_children = 10' >> /etc/php5/fpm/php-fpm.conf - echo 'pm.start_servers = 2' >> /etc/php5/fpm/php-fpm.conf - echo 'pm.min_spare_servers = 2' >> /etc/php5/fpm/php-fpm.conf - echo 'pm.max_spare_servers = 5' >> /etc/php5/fpm/php-fpm.conf - echo 'pm.max_requests = 50' >> /etc/php5/fpm/php-fpm.conf - fi - - if [ ! -d /etc/nginx ]; then - echo $"ERROR: nginx does not appear to have installed. $CHECK_MESSAGE" - exit 51 - fi - - # Nginx settings - echo 'user www-data;' > /etc/nginx/nginx.conf - #echo "worker_processes; $CPU_CORES" >> /etc/nginx/nginx.conf - echo 'pid /run/nginx.pid;' >> /etc/nginx/nginx.conf - echo '' >> /etc/nginx/nginx.conf - echo 'events {' >> /etc/nginx/nginx.conf - echo ' worker_connections 50;' >> /etc/nginx/nginx.conf - echo ' # multi_accept on;' >> /etc/nginx/nginx.conf - echo '}' >> /etc/nginx/nginx.conf - echo '' >> /etc/nginx/nginx.conf - echo 'http {' >> /etc/nginx/nginx.conf - echo ' # limit the number of connections per single IP' >> /etc/nginx/nginx.conf - echo ' limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;' >> /etc/nginx/nginx.conf - echo '' >> /etc/nginx/nginx.conf - echo ' # limit the number of requests for a given session' >> /etc/nginx/nginx.conf - echo ' limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=140r/s;' >> /etc/nginx/nginx.conf - echo '' >> /etc/nginx/nginx.conf - echo ' # if the request body size is more than the buffer size, then the entire (or partial) request body is written into a temporary file' >> /etc/nginx/nginx.conf - echo ' client_body_buffer_size 128k;' >> /etc/nginx/nginx.conf - echo '' >> /etc/nginx/nginx.conf - echo ' # headerbuffer size for the request header from client, its set for testing purpose' >> /etc/nginx/nginx.conf - echo ' client_header_buffer_size 3m;' >> /etc/nginx/nginx.conf - echo '' >> /etc/nginx/nginx.conf - echo ' # maximum number and size of buffers for large headers to read from client request' >> /etc/nginx/nginx.conf - echo ' large_client_header_buffers 4 256k;' >> /etc/nginx/nginx.conf - echo '' >> /etc/nginx/nginx.conf - echo ' # read timeout for the request body from client, its set for testing purpose' >> /etc/nginx/nginx.conf - echo ' client_body_timeout 3m;' >> /etc/nginx/nginx.conf - echo '' >> /etc/nginx/nginx.conf - echo ' # how long to wait for the client to send a request header, its set for testing purpose' >> /etc/nginx/nginx.conf - echo ' client_header_timeout 3m;' >> /etc/nginx/nginx.conf - echo '' >> /etc/nginx/nginx.conf - echo ' ##' >> /etc/nginx/nginx.conf - echo ' # Basic Settings' >> /etc/nginx/nginx.conf - echo ' ##' >> /etc/nginx/nginx.conf - echo '' >> /etc/nginx/nginx.conf - echo ' sendfile on;' >> /etc/nginx/nginx.conf - echo ' tcp_nopush on;' >> /etc/nginx/nginx.conf - echo ' tcp_nodelay on;' >> /etc/nginx/nginx.conf - echo ' keepalive_timeout 65;' >> /etc/nginx/nginx.conf - echo ' types_hash_max_size 2048;' >> /etc/nginx/nginx.conf - echo ' server_tokens off;' >> /etc/nginx/nginx.conf - echo '' >> /etc/nginx/nginx.conf - echo ' # server_names_hash_bucket_size 64;' >> /etc/nginx/nginx.conf - echo ' # server_name_in_redirect off;' >> /etc/nginx/nginx.conf - echo '' >> /etc/nginx/nginx.conf - echo ' include /etc/nginx/mime.types;' >> /etc/nginx/nginx.conf - echo ' default_type application/octet-stream;' >> /etc/nginx/nginx.conf - echo '' >> /etc/nginx/nginx.conf - echo ' ##' >> /etc/nginx/nginx.conf - echo ' # Logging Settings' >> /etc/nginx/nginx.conf - echo ' ##' >> /etc/nginx/nginx.conf - echo '' >> /etc/nginx/nginx.conf - echo ' access_log /var/log/nginx/access.log;' >> /etc/nginx/nginx.conf - echo ' error_log /var/log/nginx/error.log;' >> /etc/nginx/nginx.conf - echo '' >> /etc/nginx/nginx.conf - echo ' ###' >> /etc/nginx/nginx.conf - echo ' # Gzip Settings' >> /etc/nginx/nginx.conf - echo ' ##' >> /etc/nginx/nginx.conf - echo ' gzip on;' >> /etc/nginx/nginx.conf - echo ' gzip_disable "msie6";' >> /etc/nginx/nginx.conf - echo '' >> /etc/nginx/nginx.conf - echo ' # gzip_vary on;' >> /etc/nginx/nginx.conf - echo ' # gzip_proxied any;' >> /etc/nginx/nginx.conf - echo ' # gzip_comp_level 6;' >> /etc/nginx/nginx.conf - echo ' # gzip_buffers 16 8k;' >> /etc/nginx/nginx.conf - echo ' # gzip_http_version 1.1;' >> /etc/nginx/nginx.conf - echo ' # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;' >> /etc/nginx/nginx.conf - echo '' >> /etc/nginx/nginx.conf - echo ' ##' >> /etc/nginx/nginx.conf - echo ' # Virtual Host Configs' >> /etc/nginx/nginx.conf - echo ' ##' >> /etc/nginx/nginx.conf - echo '' >> /etc/nginx/nginx.conf - echo ' include /etc/nginx/conf.d/*.conf;' >> /etc/nginx/nginx.conf - echo ' include /etc/nginx/sites-enabled/*;' >> /etc/nginx/nginx.conf - echo '}' >> /etc/nginx/nginx.conf - - # install a script to easily enable and disable nginx virtual hosts - if [ ! -d $INSTALL_DIR ]; then - mkdir $INSTALL_DIR - fi - cd $INSTALL_DIR - git_clone $NGINX_ENSITE_REPO $INSTALL_DIR/nginx_ensite - cd $INSTALL_DIR/nginx_ensite - git checkout $NGINX_ENSITE_COMMIT -b $NGINX_ENSITE_COMMIT - if ! grep -q "Nginx-ensite commit" $COMPLETION_FILE; then - echo "Nginx-ensite commit:$NGINX_ENSITE_COMMIT" >> $COMPLETION_FILE - else - sed -i "s/Nginx-ensite commit.*/Nginx-ensite commit:$NGINX_ENSITE_COMMIT/g" $COMPLETION_FILE - fi - - make install - nginx_dissite default - echo 'install_web_server' >> $COMPLETION_FILE -} - -function install_web_server_access_control { - if [ ! -f /etc/pam.d/nginx ]; then - echo '#%PAM-1.0' > /etc/pam.d/nginx - echo '@include common-auth' >> /etc/pam.d/nginx - echo '@include common-account' >> /etc/pam.d/nginx - echo '@include common-session' >> /etc/pam.d/nginx - fi -} - -function configure_php { - sed -i "s/memory_limit = 128M/memory_limit = ${MAX_PHP_MEMORY}M/g" /etc/php5/fpm/php.ini - sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g' /etc/php5/fpm/php.ini - sed -i "s/memory_limit = -1/memory_limit = ${MAX_PHP_MEMORY}M/g" /etc/php5/cli/php.ini - sed -i "s/upload_max_filesize = 2M/upload_max_filesize = 50M/g" /etc/php5/fpm/php.ini - sed -i "s/post_max_size = 8M/post_max_size = 50M/g" /etc/php5/fpm/php.ini -} - -function add_ddns_domain { - if [ ! $1 ]; then - echo $'ddns domain not specified' - exit 5638 - fi - CURRENT_DDNS_DOMAIN="$1" - if [[ $ONION_ONLY != "no" ]]; then - return - fi - if [ ! -f /etc/inadyn.conf ]; then - echo $'Unable to find inadyn configuration file /etc/inadyn.conf' - exit 5745 - fi - if ! grep -q "$DDNS_PROVIDER" /etc/inadyn.conf; then - echo '' >> /etc/inadyn.conf - echo "system $DDNS_PROVIDER" >> /etc/inadyn.conf - echo ' ssl' >> /etc/inadyn.conf - echo " checkip-url $GET_IP_ADDRESS_URL /" >> /etc/inadyn.conf - if [ $DDNS_USERNAME ]; then - echo " username $DDNS_USERNAME" >> /etc/inadyn.conf - fi - if [ $DDNS_PASSWORD ]; then - echo " password $DDNS_PASSWORD" >> /etc/inadyn.conf - fi - fi - - if ! grep -q "$CURRENT_DDNS_DOMAIN" /etc/inadyn.conf; then - echo " alias $CURRENT_DDNS_DOMAIN" >> /etc/inadyn.conf - fi - chmod 600 /etc/inadyn.conf - systemctl restart inadyn - systemctl daemon-reload -} - -function install_syncthing { - if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - if grep -Fxq "install_syncthing" $COMPLETION_FILE; then - return - fi - - apt-get -y install curl - - curl -s https://syncthing.net/release-key.txt | apt-key add - - echo "deb http://apt.syncthing.net/ syncthing release" | tee /etc/apt/sources.list.d/syncthing.list - apt-get update - apt-get -y install syncthing - - # This probably does need to run as root so that it can access the Sync directories - # in each user's home directory - echo '[Unit]' > /etc/systemd/system/syncthing.service - echo 'Description=Syncthing - Open Source Continuous File Synchronization' >> /etc/systemd/system/syncthing.service - echo 'Documentation=man:syncthing(1)' >> /etc/systemd/system/syncthing.service - echo 'After=network.target' >> /etc/systemd/system/syncthing.service - echo 'Wants=syncthing-inotify@.service' >> /etc/systemd/system/syncthing.service - echo '' >> /etc/systemd/system/syncthing.service - echo '[Service]' >> /etc/systemd/system/syncthing.service - echo 'User=root' >> /etc/systemd/system/syncthing.service - echo "Environment='all_proxy=socks5://localhost:9050'" >> /etc/systemd/system/syncthing.service - echo 'ExecStart=/usr/bin/syncthing -no-browser -no-restart -logflags=0' >> /etc/systemd/system/syncthing.service - echo 'Restart=on-failure' >> /etc/systemd/system/syncthing.service - echo 'SuccessExitStatus=3 4' >> /etc/systemd/system/syncthing.service - echo 'RestartForceExitStatus=3 4' >> /etc/systemd/system/syncthing.service - echo '' >> /etc/systemd/system/syncthing.service - echo '[Install]' >> /etc/systemd/system/syncthing.service - echo 'WantedBy=multi-user.target' >> /etc/systemd/system/syncthing.service - systemctl enable syncthing - systemctl daemon-reload - systemctl start syncthing - - if ! grep -q "syncthing" /etc/crontab; then - echo "*/1 * * * * root /usr/local/bin/freedombone-syncthing > /dev/null" >> /etc/crontab - systemctl restart cron - fi - - echo 'install_syncthing' >> $COMPLETION_FILE -} - -function upgrade_golang { - if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - - # NOTE: this is annoyingly hacky and going in the opposite - # direction of a pure blend, but it's necessary if you want - # to run the latest version of gogs - - # update to the next commit - set_repo_commit $INSTALL_DIR/gvm "gvm commit" "$GVM_COMMIT" $GVM_REPO - - if grep -Fxq "upgrade_golang" $COMPLETION_FILE; then - return - fi - - export GVM_ROOT=$GVM_HOME - - apt-get -y install curl git mercurial make binutils bison gcc build-essential - if [ ! -d $INSTALL_DIR ]; then - mkdir $INSTALL_DIR - fi - cd $INSTALL_DIR - git_clone $GVM_REPO gvm - cd $INSTALL_DIR/gvm - git checkout $GVM_COMMIT -b $GVM_COMMIT - if [ ! -f binscripts/gvm-installer ]; then - echo $'gvm installer not found' - fi - chmod +x binscripts/gvm-installer - - if [ -d /root/.gvm ]; then - rm -rf /root/.gvm - fi - if [ -d $GVM_ROOT ]; then - rm -rf $GVM_ROOT - fi - sed -i "s|export GVM_ROOT=.*|export GVM_ROOT=$GVM_ROOT|g" ~/.bashrc - - if [ ! -d /home/git ]; then - # add a gogs user account within which the gvm home directory will exist - adduser --disabled-login --gecos 'Gogs' git - fi - if [ -d /home/git/Maildir ]; then - rm -rf /home/git/Maildir - fi - - # TODO: this script is all over the place - # and contains hardcoded github. See if you can do better - ./binscripts/gvm-installer master /home/git - - if [ ! -d $GVM_ROOT ]; then - echo $'Unable to install gvm' - exit 83537 - fi - - [[ -s "$GVM_ROOT/scripts/gvm" ]] && source "$GVM_ROOT/scripts/gvm" - if [ ! -f $GVM_ROOT/bin/gvm ]; then - echo $'gvm was not installed' - fi - if ! grep -q "export GVM_ROOT=" ~/.bashrc; then - echo "export GVM_ROOT=$GVM_ROOT" >> ~/.bashrc - fi - - cd $GVM_ROOT/bin - gvm install go1.4 - gvm use go1.4 - export GOROOT_BOOTSTRAP=$GOROOT - gvm install go${GO_VERSION} - if [ ! "$?" = "0" ]; then - echo $'Unable to upgrade golang' - exit 529252 - fi - gvm use go${GO_VERSION} --default - - chown -R git:git $GVM_HOME - - if ! grep -q "gvm commit" $COMPLETION_FILE; then - echo "gvm commit:$GVM_COMMIT" >> $COMPLETION_FILE - else - sed -i "s/gvm commit.*/gvm commit:$GVM_COMMIT/g" $COMPLETION_FILE - fi - - echo 'upgrade_golang' >> $COMPLETION_FILE -} - -function install_gogs { - if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - if [ ! $GIT_DOMAIN_NAME ]; then - return - fi - - select_go_version - - # update to the next commit - set_repo_commit $GOPATH/src/github.com/gogits/gogs "Gogs commit" "$GOGS_COMMIT" $GIT_DOMAIN_REPO - - if grep -Fxq "install_gogs" $COMPLETION_FILE; then - return - fi - - if [ -d $GOPATH/src/github.com/gogits ]; then - rm -rf $GOPATH/src/github.com/gogits - fi - - if [ -d /home/git/gvm/pkgsets/go${GO_VERSION}/global/src/github.com/gogits ]; then - rm -rf /home/git/gvm/pkgsets/go${GO_VERSION}/global/src/github.com/gogits - fi - - if [ -d /home/git/gogs-repositories ]; then - rm -rf /home/git/gogs-repositories - fi - - if [ ! -d /home/git ]; then - # add a gogs user account - adduser --disabled-login --gecos 'Gogs' git - fi - if [ -d /home/git/Maildir ]; then - rm -rf /home/git/Maildir - fi - - if [ -d $GOPATH/src/github.com/gogits ]; then - rm -rf $GOPATH/src/github.com/gogits - fi - - # install Go - apt-get -y install golang libpam0g-dev - if ! grep -q "export GOPATH=" ~/.bashrc; then - echo "export GOPATH=$GOPATH" >> ~/.bashrc - else - sed -i "s|export GOPATH=.*|export GOPATH=$GOPATH|g" ~/.bashrc - fi - systemctl set-environment GOPATH=$GOPATH - if ! grep -q "systemctl set-environment GOPATH=" ~/.bashrc; then - echo "systemctl set-environment GOPATH=$GOPATH" >> ~/.bashrc - else - sed -i "s|systemctl set-environment GOPATH=.*|systemctl set-environment GOPATH=$GOPATH|g" ~/.bashrc - fi - if [ ! -d $GOPATH ]; then - mkdir -p $GOPATH - fi - GO_PACKAGE_MANAGER_REPO2=$(echo "$GO_PACKAGE_MANAGER_REPO" | sed 's|https://||g') - go get -u $GO_PACKAGE_MANAGER_REPO2 - if [ ! "$?" = "0" ]; then - echo $'install_gogs: go get failed' - exit 479832 - fi - - # clone the repo - if [ ! -d $GOPATH/src/github.com/gogits ]; then - mkdir -p $GOPATH/src/github.com/gogits - fi - git_clone $GIT_DOMAIN_REPO $GOPATH/src/github.com/gogits/gogs - if [ ! -d $GOPATH/src/github.com/gogits/gogs ]; then - echo $"Unable to clone repo $GOPATH/src/github.com/gogits/gogs" - exit 85482 - fi - cd $GOPATH/src/github.com/gogits/gogs - - # install - go get -u ./... - - git checkout $GOGS_COMMIT -b $GOGS_COMMIT - if ! grep -q "Gogs commit" $COMPLETION_FILE; then - echo "Gogs commit:$GOGS_COMMIT" >> $COMPLETION_FILE - else - sed -i "s/Gogs commit.*/Gogs commit:$GOGS_COMMIT/g" $COMPLETION_FILE - fi - - go build - if [ ! "$?" = "0" ]; then - echo $'install_gogs: go build failed' - exit 546750 - fi - - install_mariadb - get_mariadb_password - - get_mariadb_git_admin_password - if [ ! $GIT_ADMIN_PASSWORD ]; then - if [ -f $IMAGE_PASSWORD_FILE ]; then - GIT_ADMIN_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)" - else - GIT_ADMIN_PASSWORD="$(openssl rand -base64 32 | cut -c1-${MINIMUM_PASSWORD_LENGTH})" - fi - fi - - if ! grep -q $"Gogs admin user password" /home/$MY_USERNAME/README; then - echo '' >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - echo 'Gogs' >> /home/$MY_USERNAME/README - echo '====' >> /home/$MY_USERNAME/README - echo $'Install Steps For First-time Run:' >> /home/$MY_USERNAME/README - echo $'Leave email service settings empty' >> /home/$MY_USERNAME/README - echo $'Check "Enable Register Confirmation"' >> /home/$MY_USERNAME/README - echo $'Check "Enable Mail Notification"' >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - echo $'If you want to disable new account registrations then append the following:' >> /home/$MY_USERNAME/README - echo ' [service]' >> /home/$MY_USERNAME/README - echo ' DISABLE_REGISTRATION = true' >> /home/$MY_USERNAME/README - echo $'Then restart with:' >> /home/$MY_USERNAME/README - echo ' systemctl restart gogs' >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - echo $"Note that there's a usability/security trade-off made here." >> /home/$MY_USERNAME/README - echo $"In order to allow git clone via http we don't redirect everything" >> /home/$MY_USERNAME/README - echo $'over https. Instead only critical things such as user login,' >> /home/$MY_USERNAME/README - echo $'settings and admin are encrypted.' >> /home/$MY_USERNAME/README - echo $'There are also potential security issues with cloning/pulling/pushing' >> /home/$MY_USERNAME/README - echo $'code over http, since a determined adversary could inject malware' >> /home/$MY_USERNAME/README - echo $'into the stream as it passes, so beware.' >> /home/$MY_USERNAME/README - echo $'If you have a bought domain and a non-self signed cert then you' >> /home/$MY_USERNAME/README - echo $"should change /etc/nginx/sites-available/$GIT_DOMAIN_NAME to redirect everything over https." >> /home/$MY_USERNAME/README - chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README - chmod 600 /home/$MY_USERNAME/README - fi - - create_database gogs "$GOGS_ADMIN_PASSWORD" - if [ ! -f $GOPATH/src/github.com/gogits/gogs/scripts/mysql.sql ]; then - echo $'MySql template for Gogs was not found' - exit 72528 - fi - mysql -u root --password="$MARIADB_PASSWORD" -D gogs < $GOPATH/src/github.com/gogits/gogs/scripts/mysql.sql - - chmod 600 $GOPATH/src/github.com/gogits/gogs/custom/conf/app.ini - - chown -R git:git /home/git - echo '[Unit]' > /etc/systemd/system/gogs.service - echo 'Description=Gogs (Go Git Service)' >> /etc/systemd/system/gogs.service - echo 'After=syslog.target' >> /etc/systemd/system/gogs.service - echo 'After=network.target' >> /etc/systemd/system/gogs.service - echo 'After=mysqld.service' >> /etc/systemd/system/gogs.service - echo '' >> /etc/systemd/system/gogs.service - echo '[Service]' >> /etc/systemd/system/gogs.service - echo '#LimitMEMLOCK=infinity' >> /etc/systemd/system/gogs.service - echo '#LimitNOFILE=65535' >> /etc/systemd/system/gogs.service - echo 'Type=simple' >> /etc/systemd/system/gogs.service - echo 'User=git' >> /etc/systemd/system/gogs.service - echo 'Group=git' >> /etc/systemd/system/gogs.service - echo "WorkingDirectory=$GOPATH/src/github.com/gogits/gogs" >> /etc/systemd/system/gogs.service - echo "ExecStart=$GOPATH/src/github.com/gogits/gogs/gogs web" >> /etc/systemd/system/gogs.service - echo 'Restart=always' >> /etc/systemd/system/gogs.service - echo 'RestartSec=10' >> /etc/systemd/system/gogs.service - echo 'TimeoutStartSec=120' >> /etc/systemd/system/gogs.service - echo "Environment=\"USER=git\" \"HOME=/home/git\" \"GOPATH=$GOPATH\" \"GVM_ROOT=$GVM_HOME\"" >> /etc/systemd/system/gogs.service - echo '' >> /etc/systemd/system/gogs.service - echo '[Install]' >> /etc/systemd/system/gogs.service - echo 'WantedBy=multi-user.target' >> /etc/systemd/system/gogs.service - - systemctl enable gogs - systemctl daemon-reload - systemctl restart gogs - - if [ ! -d /var/www/$GIT_DOMAIN_NAME ]; then - mkdir /var/www/$GIT_DOMAIN_NAME - fi - if [ -d /var/www/$GIT_DOMAIN_NAME/htdocs ]; then - rm -rf /var/www/$GIT_DOMAIN_NAME/htdocs - fi - - if [[ $ONION_ONLY == "no" ]]; then - nginx_http_redirect $GIT_DOMAIN_NAME - echo 'server {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo ' listen 443 ssl;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo " root /var/www/$GIT_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo " server_name $GIT_DOMAIN_NAME;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo ' access_log off;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo " error_log /var/log/nginx/${GIT_DOMAIN_NAME}_error.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - nginx_limits $GIT_DOMAIN_NAME '10G' - nginx_ssl $GIT_DOMAIN_NAME - nginx_disable_sniffing $GIT_DOMAIN_NAME - echo ' add_header Strict-Transport-Security max-age=0;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo ' location / {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo ' proxy_pass http://localhost:3000;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo ' fastcgi_buffers 64 4K;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo ' error_page 403 /core/templates/403.php;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo ' error_page 404 /core/templates/404.php;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo ' location = /robots.txt {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo ' allow all;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo ' log_not_found off;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo ' access_log off;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo '}' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - else - echo -n '' > /etc/nginx/sites-available/$GIT_DOMAIN_NAME - fi - echo 'server {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo " listen 127.0.0.1:${GIT_ONION_PORT} default_server;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo " root /var/www/$GIT_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo " server_name $GIT_DOMAIN_NAME;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo ' access_log off;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo " error_log /var/log/nginx/${GIT_DOMAIN_NAME}_error.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - nginx_limits $GIT_DOMAIN_NAME '10G' - nginx_disable_sniffing $GIT_DOMAIN_NAME - echo ' add_header Strict-Transport-Security max-age=0;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo ' location / {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo ' proxy_pass http://localhost:3000;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo ' fastcgi_buffers 64 4K;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo ' error_page 403 /core/templates/403.php;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo ' error_page 404 /core/templates/404.php;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo ' location = /robots.txt {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo ' allow all;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo ' log_not_found off;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo ' access_log off;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - echo '}' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME - - configure_php - - create_site_certificate $GIT_DOMAIN_NAME 'yes' - - nginx_ensite $GIT_DOMAIN_NAME - - if [ ! -d /var/lib/tor ]; then - echo $'No Tor installation found. Gogs onion site cannot be configured.' - exit 877367 - fi - if ! grep -q "hidden_service_gogs" /etc/tor/torrc; then - echo 'HiddenServiceDir /var/lib/tor/hidden_service_gogs/' >> /etc/tor/torrc - echo "HiddenServicePort 80 127.0.0.1:${GIT_ONION_PORT}" >> /etc/tor/torrc - echo "HiddenServicePort 9418 127.0.0.1:9418" >> /etc/tor/torrc - echo $'Added onion site for Gogs' - fi - - systemctl restart tor - wait_for_onion_service 'gogs' - - GIT_ONION_HOSTNAME=$(cat /var/lib/tor/hidden_service_gogs/hostname) - - systemctl restart php5-fpm - systemctl restart nginx - - if ! grep -q "Gogs onion domain" /home/$MY_USERNAME/README; then - echo "Gogs onion domain: ${GIT_ONION_HOSTNAME}" >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README - chmod 600 /home/$MY_USERNAME/README - fi - if ! grep -q "Gogs onion domain" $COMPLETION_FILE; then - echo "Gogs onion domain:${GIT_ONION_HOSTNAME}" >> $COMPLETION_FILE - fi - - add_ddns_domain $GIT_DOMAIN_NAME - - # obtain the secret key - GOGS_SECRET_KEY= - if grep -q "Gogs secret key:" /home/$MY_USERNAME/README; then - GOGS_SECRET_KEY=$(cat /home/$MY_USERNAME/README | grep "Gogs secret key:" | awk -F ':' '{print $2}' | sed 's/^ *//') - else - GOGS_SECRET_KEY="$(openssl rand -base64 30 | cut -c1-${MINIMUM_PASSWORD_LENGTH})" - echo "Gogs secret key:$GOGS_SECRET_KEY" >> /home/$MY_USERNAME/README - chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README - fi - - # create the configuration - GOGS_CONFIG_PATH=/home/git/gvm/pkgsets/go${GO_VERSION}/global/src/github.com/gogits/gogs/custom/conf - if [ ! -d $GOGS_CONFIG_PATH ]; then - mkdir -p $GOGS_CONFIG_PATH - fi - GOGS_CONFIG_FILE=$GOGS_CONFIG_PATH/app.ini - echo 'RUN_USER = git' > $GOGS_CONFIG_FILE - echo 'RUN_MODE = prod' >> $GOGS_CONFIG_FILE - echo '' >> $GOGS_CONFIG_FILE - echo '[database]' >> $GOGS_CONFIG_FILE - echo 'DB_TYPE = mysql' >> $GOGS_CONFIG_FILE - echo 'HOST = 127.0.0.1:3306' >> $GOGS_CONFIG_FILE - echo 'NAME = gogs' >> $GOGS_CONFIG_FILE - echo 'USER = root' >> $GOGS_CONFIG_FILE - echo "PASSWD = $MARIADB_PASSWORD" >> $GOGS_CONFIG_FILE - echo 'SSL_MODE = disable' >> $GOGS_CONFIG_FILE - echo 'PATH = data/gogs.db' >> $GOGS_CONFIG_FILE - echo '' >> $GOGS_CONFIG_FILE - echo '[repository]' >> $GOGS_CONFIG_FILE - echo 'ROOT = /home/git/gogs-repositories' >> $GOGS_CONFIG_FILE - echo '' >> $GOGS_CONFIG_FILE - echo '[server]' >> $GOGS_CONFIG_FILE - if [[ $ONION_ONLY == 'no' ]]; then - echo "DOMAIN = ${GIT_DOMAIN_NAME}" >> $GOGS_CONFIG_FILE - else - echo "DOMAIN = ${GIT_ONION_HOSTNAME}" >> $GOGS_CONFIG_FILE - fi - echo 'HTTP_PORT = 3000' >> $GOGS_CONFIG_FILE - echo "ROOT_URL = http://$GIT_DOMAIN_NAME/" >> $GOGS_CONFIG_FILE - echo "SSH_PORT = $SSH_PORT" >> $GOGS_CONFIG_FILE - echo 'SSH_DOMAIN = %(DOMAIN)s' >> $GOGS_CONFIG_FILE - echo "CERT_FILE = /etc/ssl/certs/${GIT_DOMAIN_NAME}.crt" >> $GOGS_CONFIG_FILE - echo "KEY_FILE = /etc/ssl/private/${GIT_DOMAIN_NAME}.key" >> $GOGS_CONFIG_FILE - echo 'DISABLE_ROUTER_LOG = true' >> $GOGS_CONFIG_FILE - echo '' >> $GOGS_CONFIG_FILE - echo '[session]' >> $GOGS_CONFIG_FILE - echo 'PROVIDER = file' >> $GOGS_CONFIG_FILE - echo '' >> $GOGS_CONFIG_FILE - echo '[log]' >> $GOGS_CONFIG_FILE - echo 'MODE = file' >> $GOGS_CONFIG_FILE - echo 'LEVEL = Info' >> $GOGS_CONFIG_FILE - echo '' >> $GOGS_CONFIG_FILE - echo '[security]' >> $GOGS_CONFIG_FILE - echo 'INSTALL_LOCK = true' >> $GOGS_CONFIG_FILE - echo "SECRET_KEY = $GOGS_SECRET_KEY" >> $GOGS_CONFIG_FILE - echo '' >> $GOGS_CONFIG_FILE - echo '[service]' >> $GOGS_CONFIG_FILE - echo 'DISABLE_REGISTRATION = false' >> $GOGS_CONFIG_FILE - echo 'SHOW_REGISTRATION_BUTTON = true' >> $GOGS_CONFIG_FILE - echo 'REQUIRE_SIGNIN_VIEW = false' >> $GOGS_CONFIG_FILE - echo 'ENABLE_CAPTCHA = false' >> $GOGS_CONFIG_FILE - echo '' >> $GOGS_CONFIG_FILE - echo '[other]' >> $GOGS_CONFIG_FILE - echo 'SHOW_FOOTER_BRANDING = false' >> $GOGS_CONFIG_FILE - echo 'SHOW_FOOTER_VERSION = false' >> $GOGS_CONFIG_FILE - - chmod 750 $GOGS_CONFIG_FILE - chown -R git:git /home/git - - systemctl restart gogs - - if ! grep -q "Gogs domain:" $COMPLETION_FILE; then - echo "Gogs domain:$GIT_DOMAIN_NAME" >> $COMPLETION_FILE - fi - echo 'install_gogs' >> $COMPLETION_FILE -} - -function tox_avahi { - if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then - return - fi - if grep -Fxq "tox_avahi" $COMPLETION_FILE; then - return - fi - - if [ ! -d /etc/avahi ]; then - echo $'tox_avahi: avahi is not installed' - exit 87359 - fi - - # install a command to obtain the Tox ID - cd $INSTALL_DIR - git_clone $TOXID_REPO $INSTALL_DIR/toxid - if [ ! -d $INSTALL_DIR/toxid ]; then - exit 63921 - fi - cd $INSTALL_DIR/toxid - make - if [ ! "$?" = "0" ]; then - exit 58432 - fi - make install - - toxavahi - - # publish regularly - if ! grep -q "toxavahi" /etc/crontab; then - echo "* * * * * root toxavahi > /dev/null" >> /etc/crontab - fi - - systemctl restart avahi-daemon - - echo 'tox_avahi' >> $COMPLETION_FILE -} - -function install_tox_node { - if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then - return - fi - - # update to the next commit - set_repo_commit $INSTALL_DIR/toxcore "toxcore commit" "$TOXCORE_COMMIT" $TOXCORE_REPO - - if grep -Fxq "install_tox_node" $COMPLETION_FILE; then - return - fi - - ${PROJECT_NAME}-mesh-install -f tox_node - if [ ! "$?" = "0" ]; then - echo $'Failed to install tox node' - exit 26778 - fi - - TOX_ONION_HOSTNAME=$(add_onion_service tox ${TOX_PORT} ${TOX_PORT}) - - if ! grep -q "tox onion domain" $COMPLETION_FILE; then - echo "tox onion domain:${TOX_ONION_HOSTNAME}" >> $COMPLETION_FILE - else - sed -i "s|tox onion domain.*|tox onion domain:${TOX_ONION_HOSTNAME}|g" $COMPLETION_FILE - fi - - systemctl restart tox-bootstrapd.service - - TOX_PUBLIC_KEY=$(cat /var/log/syslog | grep tox | grep "Public Key" | awk -F ' ' '{print $8}' | tail -1) - if [ ${#TOX_PUBLIC_KEY} -lt 30 ]; then - echo $'Could not obtain the tox node public key' - exit 6529 - fi - - # save the public key for later reference - echo "$TOX_PUBLIC_KEY" > $TOX_BOOTSTRAP_ID_FILE - - configure_firewall_for_tox - - if ! grep -q $"Your Tox node public key is" /home/$MY_USERNAME/README; then - echo '' >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - echo 'Tox' >> /home/$MY_USERNAME/README - echo '===' >> /home/$MY_USERNAME/README - echo $"tox onion domain: ${TOX_ONION_HOSTNAME}" >> /home/$MY_USERNAME/README - echo $"Your Tox node public key is: $TOX_PUBLIC_KEY" >> /home/$MY_USERNAME/README - echo $'In the Toxic client you can connect to it with:' >> /home/$MY_USERNAME/README - echo " /connect $DEFAULT_DOMAIN_NAME.local $TOX_PORT $TOX_PUBLIC_KEY" >> /home/$MY_USERNAME/README - chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README - chmod 600 /home/$MY_USERNAME/README - fi - - echo 'install_tox_node' >> $COMPLETION_FILE -} - -function install_tox_client { - if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then - return - fi - - # update to the next commit - set_repo_commit $INSTALL_DIR/toxic "Toxic commit" "$TOXIC_COMMIT" $TOXIC_REPO - - if grep -Fxq "install_tox_client" $COMPLETION_FILE; then - return - fi - - ${PROJECT_NAME}-mesh-install -f tox_client - if [ ! "$?" = "0" ]; then - echo $'Could not install Tox client' - exit 67248 - fi - - # initial setup of username - #su -c "echo 'n - #/nick $MY_USERNAME - #/exit - #' | $TOXIC_FILE -d" - $MY_USERNAME - - echo 'install_tox_client' >> $COMPLETION_FILE -} - -function update_prosody_modules { - if [ ! -d $INSTALL_DIR/prosody-modules ]; then - return - fi - if [ ! -d /usr/lib/prosody ]; then - return - fi - - cd $INSTALL_DIR/prosody-modules - hg pull - hg update - - # support onion addresses - if [ -f $INSTALL_DIR/prosody-modules/mod_onions/mod_onions.lua ]; then - cp $INSTALL_DIR/prosody-modules/mod_onions/mod_onions.lua /usr/lib/prosody/modules/mod_onions.lua - fi - - # XEP-0313 message archive management - # https://modules.prosody.im/mod_mam.html - # Allows you to download your previous messages onto a new client - # This only applies if you are not using forward secret crypto - # such as OTR or OMEMO (eg. OpenPGP) - if [ -d $INSTALL_DIR/prosody-modules/mod_mam ]; then - cp $INSTALL_DIR/prosody-modules/mod_mam/*.lua /usr/lib/prosody/modules - fi - - # XEP-0352 Client State Indication - # Notifies the server if the app is in the background or not - if [ -d $INSTALL_DIR/prosody-modules/mod_csi ]; then - cp $INSTALL_DIR/prosody-modules/mod_csi/*.lua /usr/lib/prosody/modules - fi - - # XEP-0280 Message Carbons - # Ensures all messages get delivered to all clients (if you have a mobile and desktop client) - if [ -d $INSTALL_DIR/prosody-modules/mod_carbons ]; then - cp $INSTALL_DIR/prosody-modules/mod_carbons/*.lua /usr/lib/prosody/modules - fi - - # XEP-0198 Stream management - # Helps mobile apps recover when a device switches networks. - if [ -d $INSTALL_DIR/prosody-modules/mod_smacks ]; then - cp $INSTALL_DIR/prosody-modules/mod_smacks/*.lua /usr/lib/prosody/modules - fi - if [ -d $INSTALL_DIR/prosody-modules/mod_smacks_offline ]; then - cp $INSTALL_DIR/prosody-modules/mod_smacks_offline/*.lua /usr/lib/prosody/modules - fi - - # XEP-0191: blocking - if [ -d $INSTALL_DIR/prosody-modules/mod_blocking ]; then - cp $INSTALL_DIR/prosody-modules/mod_blocking/*.lua /usr/lib/prosody/modules - fi - - # XEP-0016 Privacy lists - if [ -d $INSTALL_DIR/prosody-modules/mod_privacy_lists ]; then - cp $INSTALL_DIR/prosody-modules/mod_privacy_lists/*.lua /usr/lib/prosody/modules - fi -} - -function install_xmpp { - if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - - update_prosody_modules - - if grep -Fxq "install_xmpp" $COMPLETION_FILE; then - return - fi - apt-get -y install lua-sec lua-bitop - apt-get -y install prosody prosody-modules mercurial - - if [ ! -d /etc/prosody ]; then - echo $"ERROR: prosody does not appear to have installed. $CHECK_MESSAGE" - exit 52 - fi - - # obtain the prosody modules - cd $INSTALL_DIR - hg clone https://hg.prosody.im/prosody-modules/ prosody-modules - if [ ! -d $INSTALL_DIR/prosody-modules/mod_onions ]; then - echo $'mod_onions prosody module could not be found' - exit 73254 - fi - - # install the onions module - update_prosody_modules - if [ ! -f /usr/lib/prosody/modules/mod_onions.lua ]; then - echo $'mod_onions.lua could not be copied to the prosody modules directory' - exit 63952 - fi - - # create a certificate - if [ ! -f /etc/ssl/certs/xmpp.dhparam ]; then - ${PROJECT_NAME}-addcert -h xmpp --dhkey $DH_KEYLENGTH - check_certificates xmpp - fi - chown prosody:prosody /etc/ssl/private/xmpp.key - chown prosody:prosody /etc/ssl/certs/xmpp.* - cp -a /etc/prosody/conf.avail/example.com.cfg.lua /etc/prosody/conf.avail/xmpp.cfg.lua - - sed -i 's|/etc/prosody/certs/example.com.key|/etc/ssl/private/xmpp.key|g' /etc/prosody/conf.avail/xmpp.cfg.lua - sed -i 's|/etc/prosody/certs/example.com.crt|/etc/ssl/certs/xmpp.crt|g' /etc/prosody/conf.avail/xmpp.cfg.lua - if ! grep -q "xmpp.dhparam" /etc/prosody/conf.avail/xmpp.cfg.lua; then - sed -i '/certificate =/a\ dhparam = "/etc/ssl/certs/xmpp.dhparam";' /etc/prosody/conf.avail/xmpp.cfg.lua - fi - if ! grep -q 'options = {"no_sslv2", "no_sslv3" }' /etc/prosody/conf.avail/xmpp.cfg.lua; then - sed -i '/certificate =/a\ options = {"no_sslv2", "no_sslv3" };' /etc/prosody/conf.avail/xmpp.cfg.lua - fi - if ! grep -q 'ciphers =' /etc/prosody/conf.avail/xmpp.cfg.lua; then - sed -i "/certificate =/a\ ciphers = $XMPP_CIPHERS;" /etc/prosody/conf.avail/xmpp.cfg.lua - fi - if ! grep -q 'depth = "1";' /etc/prosody/conf.avail/xmpp.cfg.lua; then - sed -i '/certificate =/a\ depth = "1";' /etc/prosody/conf.avail/xmpp.cfg.lua - fi - if ! grep -q 'curve =' /etc/prosody/conf.avail/xmpp.cfg.lua; then - sed -i "/certificate =/a\ curve = $XMPP_ECC_CURVE;" /etc/prosody/conf.avail/xmpp.cfg.lua - fi - - sed -i "s/example.com/$DEFAULT_DOMAIN_NAME/g" /etc/prosody/conf.avail/xmpp.cfg.lua - sed -i 's/enabled = false -- Remove this line to enable this host//g' /etc/prosody/conf.avail/xmpp.cfg.lua - - if ! grep -q "modules_enabled" /etc/prosody/conf.avail/xmpp.cfg.lua; then - echo '' >> /etc/prosody/conf.avail/xmpp.cfg.lua - echo 'modules_enabled = {' >> /etc/prosody/conf.avail/xmpp.cfg.lua - echo ' "bosh"; -- Enable mod_bosh' >> /etc/prosody/conf.avail/xmpp.cfg.lua - echo ' "tls"; -- Enable mod_tls' >> /etc/prosody/conf.avail/xmpp.cfg.lua - echo ' "saslauth"; -- Enable mod_saslauth' >> /etc/prosody/conf.avail/xmpp.cfg.lua - echo ' "onions"; -- Enable chat via onion service' >> /etc/prosody/conf.avail/xmpp.cfg.lua - echo ' "mam"; -- Message archive management' >> /etc/prosody/conf.avail/xmpp.cfg.lua - echo ' "csi"; -- Client state indication' >> /etc/prosody/conf.avail/xmpp.cfg.lua - echo ' "carbons"; -- Message carbons' >> /etc/prosody/conf.avail/xmpp.cfg.lua - echo ' "smacks"; -- Stream management' >> /etc/prosody/conf.avail/xmpp.cfg.lua - echo ' "smacks_offline"; -- Stream management' >> /etc/prosody/conf.avail/xmpp.cfg.lua - echo ' "pep"; -- Personal Eventing Protocol (to support OMEMO)' >> /etc/prosody/conf.avail/xmpp.cfg.lua - echo ' "privacy"; -- Privacy lists' >> /etc/prosody/conf.avail/xmpp.cfg.lua - echo ' "privacy_lists"; -- Privacy lists' >> /etc/prosody/conf.avail/xmpp.cfg.lua - echo ' "blocking"; -- Blocking command' >> /etc/prosody/conf.avail/xmpp.cfg.lua - echo ' "roster"; -- Roster versioning' >> /etc/prosody/conf.avail/xmpp.cfg.lua - echo '}' >> /etc/prosody/conf.avail/xmpp.cfg.lua - echo '' >> /etc/prosody/conf.avail/xmpp.cfg.lua - echo 'c2s_require_encryption = true' >> /etc/prosody/conf.avail/xmpp.cfg.lua - echo 's2s_require_encryption = true' >> /etc/prosody/conf.avail/xmpp.cfg.lua - echo 'allow_unencrypted_plain_auth = false' >> /etc/prosody/conf.avail/xmpp.cfg.lua - fi - ln -sf /etc/prosody/conf.avail/xmpp.cfg.lua /etc/prosody/conf.d/xmpp.cfg.lua - - sed -i 's|/etc/prosody/certs/localhost.key|/etc/ssl/private/xmpp.key|g' /etc/prosody/prosody.cfg.lua - sed -i 's|/etc/prosody/certs/localhost.crt|/etc/ssl/certs/xmpp.crt|g' /etc/prosody/prosody.cfg.lua - if ! grep -q "xmpp.dhparam" /etc/prosody/prosody.cfg.lua; then - sed -i '/certificate =/a\ dhparam = "/etc/ssl/certs/xmpp.dhparam";' /etc/prosody/prosody.cfg.lua - fi - if ! grep -q 'options = {"no_sslv2", "no_sslv3" }' /etc/prosody/prosody.cfg.lua; then - sed -i '/certificate =/a\ options = {"no_sslv2", "no_sslv3" };' /etc/prosody/prosody.cfg.lua - fi - if ! grep -q 'ciphers =' /etc/prosody/prosody.cfg.lua; then - sed -i "/certificate =/a\ ciphers = $XMPP_CIPHERS;" /etc/prosody/prosody.cfg.lua - fi - if ! grep -q 'depth = "1";' /etc/prosody/prosody.cfg.lua; then - sed -i '/certificate =/a\ depth = "1";' /etc/prosody/prosody.cfg.lua - fi - if ! grep -q 'curve =' /etc/prosody/prosody.cfg.lua; then - sed -i "/certificate =/a\ curve = $XMPP_ECC_CURVE;" /etc/prosody/prosody.cfg.lua - fi - sed -i 's/c2s_require_encryption = false/c2s_require_encryption = true/g' /etc/prosody/prosody.cfg.lua - if ! grep -q "s2s_require_encryption" /etc/prosody/prosody.cfg.lua; then - sed -i '/c2s_require_encryption/a\s2s_require_encryption = true' /etc/prosody/prosody.cfg.lua - fi - if ! grep -q "allow_unencrypted_plain_auth" /etc/prosody/prosody.cfg.lua; then - echo 'allow_unencrypted_plain_auth = false' >> /etc/prosody/conf.avail/xmpp.cfg.lua - fi - sed -i 's/--"bosh";/"bosh";/g' /etc/prosody/prosody.cfg.lua - sed -i 's/authentication = "internal_plain"/authentication = "internal_hashed"/g' /etc/prosody/prosody.cfg.lua - sed -i 's/enabled = false -- Remove this line to enable this host//g' /etc/prosody/prosody.cfg.lua - sed -i 's|key = "/etc/prosody/certs/example.com.key"|key = "/etc/ssl/private/xmpp.key"|g' /etc/prosody/prosody.cfg.lua - sed -i 's|certificate = "/etc/prosody/certs/example.com.crt"|certificate = "/etc/ssl/certs/xmpp.crt"|g' /etc/prosody/prosody.cfg.lua - sed -i "s/example.com/$DEFAULT_DOMAIN_NAME/g" /etc/prosody/prosody.cfg.lua - - systemctl restart prosody - touch /home/$MY_USERNAME/README - - if [ ! -d /var/lib/tor ]; then - echo $'No Tor installation found. XMPP onion site cannot be configured.' - exit 877367 - fi - if ! grep -q "hidden_service_xmpp" /etc/tor/torrc; then - echo 'HiddenServiceDir /var/lib/tor/hidden_service_xmpp/' >> /etc/tor/torrc - echo "HiddenServicePort 5222 127.0.0.1:5222" >> /etc/tor/torrc - echo "HiddenServicePort 5269 127.0.0.1:5269" >> /etc/tor/torrc - echo $'Added onion site for XMPP chat' - fi - - systemctl restart tor - wait_for_onion_service 'xmpp' - - if [ ! -f /var/lib/tor/hidden_service_xmpp/hostname ]; then - echo $'XMPP onion site hostname not found' - exit 65349 - fi - XMPP_ONION_HOSTNAME=$(cat /var/lib/tor/hidden_service_xmpp/hostname) - if ! grep -q "${XMPP_ONION_HOSTNAME}" /etc/prosody/conf.avail/xmpp.cfg.lua; then - echo '' >> /etc/prosody/conf.avail/xmpp.cfg.lua - echo "VirtualHost \"${XMPP_ONION_HOSTNAME}\"" >> /etc/prosody/conf.avail/xmpp.cfg.lua - echo ' modules_enabled = { "onions" };' >> /etc/prosody/conf.avail/xmpp.cfg.lua - fi - if ! grep -q "XMPP onion domain" $COMPLETION_FILE; then - echo "XMPP onion domain:${XMPP_ONION_HOSTNAME}" >> $COMPLETION_FILE - else - sed -i "s|XMPP onion domain.*|XMPP onion domain:${XMPP_ONION_HOSTNAME}|g" $COMPLETION_FILE - fi - - if ! grep -q "Your XMPP password is" /home/$MY_USERNAME/README; then - if [ ${#XMPP_PASSWORD} -lt 8 ]; then - if [ -f $IMAGE_PASSWORD_FILE ]; then - XMPP_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)" - else - XMPP_PASSWORD="$(openssl rand -base64 30 | cut -c1-${MINIMUM_PASSWORD_LENGTH})" - fi - fi - prosodyctl register $MY_USERNAME $DEFAULT_DOMAIN_NAME $XMPP_PASSWORD - echo '' >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - echo $'XMPP' >> /home/$MY_USERNAME/README - echo '====' >> /home/$MY_USERNAME/README - echo $"XMPP onion domain: ${XMPP_ONION_HOSTNAME}" >> /home/$MY_USERNAME/README - echo $"Your XMPP password is: $XMPP_PASSWORD" >> /home/$MY_USERNAME/README - echo $'You can change it with: ' >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - echo " prosodyctl passwd $MY_EMAIL_ADDRESS" >> /home/$MY_USERNAME/README - chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README - chmod 600 /home/$MY_USERNAME/README - fi - echo 'install_xmpp' >> $COMPLETION_FILE -} - -function install_xmpp_client { - if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - if grep -Fxq "install_xmpp_client" $COMPLETION_FILE; then - return - fi - apt-get -y install profanity - - XMPP_CLIENT_DIR=/home/$MY_USERNAME/.local/share/profanity - XMPP_CLIENT_ACCOUNTS=$XMPP_CLIENT_DIR/accounts - if [ ! -d $XMPP_CLIENT_DIR ]; then - mkdir -p $XMPP_CLIENT_DIR - fi - - if [[ $ONION_ONLY == 'no' ]]; then - echo "[${MY_USERNAME}@${DEFAULT_DOMAIN_NAME}]" > $XMPP_CLIENT_ACCOUNTS - echo 'enabled=true' >> $XMPP_CLIENT_ACCOUNTS - echo "jid=${MY_USERNAME}@${DEFAULT_DOMAIN_NAME}" >> $XMPP_CLIENT_ACCOUNTS - echo 'resource=profanity' >> $XMPP_CLIENT_ACCOUNTS - echo "muc.service=conference.${DEFAULT_DOMAIN_NAME}" >> $XMPP_CLIENT_ACCOUNTS - echo "muc.nick=${MY_USERNAME}" >> $XMPP_CLIENT_ACCOUNTS - echo 'presence.last=online' >> $XMPP_CLIENT_ACCOUNTS - echo 'presence.login=online' >> $XMPP_CLIENT_ACCOUNTS - echo 'priority.online=0' >> $XMPP_CLIENT_ACCOUNTS - echo 'priority.chat=0' >> $XMPP_CLIENT_ACCOUNTS - echo 'priority.away=0' >> $XMPP_CLIENT_ACCOUNTS - echo 'priority.xa=0' >> $XMPP_CLIENT_ACCOUNTS - echo 'priority.dnd=0' >> $XMPP_CLIENT_ACCOUNTS - if [ ${#XMPP_PASSWORD} -gt 2 ]; then - echo "password=$XMPP_PASSWORD" >> $XMPP_CLIENT_ACCOUNTS - fi - fi - - if [ -f /var/lib/tor/hidden_service_xmpp/hostname ]; then - XMPP_ONION_HOSTNAME=$(cat /var/lib/tor/hidden_service_xmpp/hostname) - echo "[${MY_USERNAME}@${XMPP_ONION_HOSTNAME}]" >> $XMPP_CLIENT_ACCOUNTS - if [[ $ONION_ONLY == 'no' ]]; then - echo 'enabled=false' >> $XMPP_CLIENT_ACCOUNTS - else - echo 'enabled=true' >> $XMPP_CLIENT_ACCOUNTS - fi - echo "jid=${MY_USERNAME}@${XMPP_ONION_HOSTNAME}" >> $XMPP_CLIENT_ACCOUNTS - echo 'resource=profanity' >> $XMPP_CLIENT_ACCOUNTS - echo "muc.service=conference.${XMPP_ONION_HOSTNAME}" >> $XMPP_CLIENT_ACCOUNTS - echo "muc.nick=${MY_USERNAME}" >> $XMPP_CLIENT_ACCOUNTS - echo 'presence.last=online' >> $XMPP_CLIENT_ACCOUNTS - echo 'presence.login=online' >> $XMPP_CLIENT_ACCOUNTS - echo 'priority.online=0' >> $XMPP_CLIENT_ACCOUNTS - echo 'priority.chat=0' >> $XMPP_CLIENT_ACCOUNTS - echo 'priority.away=0' >> $XMPP_CLIENT_ACCOUNTS - echo 'priority.xa=0' >> $XMPP_CLIENT_ACCOUNTS - echo 'priority.dnd=0' >> $XMPP_CLIENT_ACCOUNTS - if [ ${#XMPP_PASSWORD} -gt 2 ]; then - echo "password=$XMPP_PASSWORD" >> $XMPP_CLIENT_ACCOUNTS - fi - fi - - if [ ! -d /home/$MY_USERNAME/.config/profanity ]; then - mkdir /home/$MY_USERNAME/.config/profanity - fi - echo '[connection]' > /home/$MY_USERNAME/.config/profanity/profrc - echo "account=${MY_USERNAME}@${DEFAULT_DOMAIN_NAME}" >> /home/$MY_USERNAME/.config/profanity/profrc - - chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.local - chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.config - - echo 'install_xmpp_client' >> $COMPLETION_FILE -} - -function install_watchdog_script { - if grep -Fxq "install_watchdog_script" $COMPLETION_FILE; then - return - fi - echo '#!/bin/bash' > /usr/bin/$WATCHDOG_SCRIPT_NAME - echo 'LOGFILE=/var/log/keepon.log' >> /usr/bin/$WATCHDOG_SCRIPT_NAME - echo 'CURRENT_DATE=$(date)' >> /usr/bin/$WATCHDOG_SCRIPT_NAME - # application specific stuff is added later - chmod +x /usr/bin/$WATCHDOG_SCRIPT_NAME - - if ! grep -q "/usr/bin/$WATCHDOG_SCRIPT_NAME" /etc/crontab; then - echo "* * * * * root /usr/bin/$WATCHDOG_SCRIPT_NAME" >> /etc/crontab - fi - - echo 'install_watchdog_script' >> $COMPLETION_FILE -} - -function install_irc_client { - if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - if grep -Fxq "install_irc_client" $COMPLETION_FILE; then - return - fi - apt-get -y install irssi - - if [ ! -d /home/$MY_USERNAME/.irssi ]; then - mkdir /home/$MY_USERNAME/.irssi - fi - - echo 'servers = (' > /home/$MY_USERNAME/.irssi/config - echo ' {' >> /home/$MY_USERNAME/.irssi/config - echo ' address = "chat.freenode.net";' >> /home/$MY_USERNAME/.irssi/config - echo ' chatnet = "Freenode";' >> /home/$MY_USERNAME/.irssi/config - echo ' port = "6667";' >> /home/$MY_USERNAME/.irssi/config - echo ' autoconnect = "no";' >> /home/$MY_USERNAME/.irssi/config - echo ' },' >> /home/$MY_USERNAME/.irssi/config - echo ' {' >> /home/$MY_USERNAME/.irssi/config - echo ' address = "irc.oftc.net";' >> /home/$MY_USERNAME/.irssi/config - echo ' chatnet = "OFTC";' >> /home/$MY_USERNAME/.irssi/config - echo ' port = "6667";' >> /home/$MY_USERNAME/.irssi/config - echo ' autoconnect = "yes";' >> /home/$MY_USERNAME/.irssi/config - echo ' },' >> /home/$MY_USERNAME/.irssi/config - echo ' {' >> /home/$MY_USERNAME/.irssi/config - echo " address = \"127.0.0.1\";" >> /home/$MY_USERNAME/.irssi/config - if [[ $ONION_ONLY == 'no' ]]; then - echo " port = \"${IRC_PORT}\";" >> /home/$MY_USERNAME/.irssi/config - echo ' use_ssl = "yes";' >> /home/$MY_USERNAME/.irssi/config - else - IRC_ONION_HOSTNAME=$(cat $COMPLETION_FILE | grep "IRC onion domain" | awk -F ':' '{print $2}') - echo " port = \"${IRC_ONION_PORT}\";" >> /home/$MY_USERNAME/.irssi/config - echo ' use_ssl = "no";' >> /home/$MY_USERNAME/.irssi/config - fi - echo ' chatnet = "Freedombone";' >> /home/$MY_USERNAME/.irssi/config - echo ' ssl_verify = "no";' >> /home/$MY_USERNAME/.irssi/config - echo ' autoconnect = "yes";' >> /home/$MY_USERNAME/.irssi/config - if [ $IRC_PASSWORD ]; then - echo " password = \"${IRC_PASSWORD}\";" >> /home/$MY_USERNAME/.irssi/config - fi - echo ' }' >> /home/$MY_USERNAME/.irssi/config - echo ');' >> /home/$MY_USERNAME/.irssi/config - echo '' >> /home/$MY_USERNAME/.irssi/config - echo 'chatnets = {' >> /home/$MY_USERNAME/.irssi/config - echo ' Freedombone = {' >> /home/$MY_USERNAME/.irssi/config - echo ' type = "IRC";' >> /home/$MY_USERNAME/.irssi/config - echo ' max_kicks = "1";' >> /home/$MY_USERNAME/.irssi/config - echo ' max_msgs = "4";' >> /home/$MY_USERNAME/.irssi/config - echo ' max_whois = "1";' >> /home/$MY_USERNAME/.irssi/config - echo ' };' >> /home/$MY_USERNAME/.irssi/config - echo ' Freenode = {' >> /home/$MY_USERNAME/.irssi/config - echo ' type = "IRC";' >> /home/$MY_USERNAME/.irssi/config - echo ' max_kicks = "1";' >> /home/$MY_USERNAME/.irssi/config - echo ' max_msgs = "4";' >> /home/$MY_USERNAME/.irssi/config - echo ' max_whois = "1";' >> /home/$MY_USERNAME/.irssi/config - echo ' };' >> /home/$MY_USERNAME/.irssi/config - echo ' OFTC = {' >> /home/$MY_USERNAME/.irssi/config - echo ' type = "IRC";' >> /home/$MY_USERNAME/.irssi/config - echo ' max_kicks = "1";' >> /home/$MY_USERNAME/.irssi/config - echo ' max_msgs = "1";' >> /home/$MY_USERNAME/.irssi/config - echo ' max_whois = "1";' >> /home/$MY_USERNAME/.irssi/config - echo ' };' >> /home/$MY_USERNAME/.irssi/config - echo '};' >> /home/$MY_USERNAME/.irssi/config - echo '' >> /home/$MY_USERNAME/.irssi/config - echo 'channels = (' >> /home/$MY_USERNAME/.irssi/config - echo ' { name = "#freedombone"; chatnet = "Freedombone"; autojoin = "Yes"; },' >> /home/$MY_USERNAME/.irssi/config - echo ');' >> /home/$MY_USERNAME/.irssi/config - echo '' >> /home/$MY_USERNAME/.irssi/config - echo 'settings = {' >> /home/$MY_USERNAME/.irssi/config - echo " core = { real_name = \"$MY_NAME\"; user_name = \"$MY_USERNAME\"; nick = \"$MY_USERNAME\"; };" >> /home/$MY_USERNAME/.irssi/config - echo ' "fe-text" = { actlist_sort = "refnum"; };' >> /home/$MY_USERNAME/.irssi/config - echo '};' >> /home/$MY_USERNAME/.irssi/config - echo 'ignores = ( { level = "CTCPS"; } );' >> /home/$MY_USERNAME/.irssi/config - - chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.irssi - - echo 'install_irc_client' >> $COMPLETION_FILE -} - -function install_irc_server { - if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - if grep -Fxq "install_irc_server" $COMPLETION_FILE; then - return - fi - apt-get -y install ngircd - - if [ ! -d /etc/ngircd ]; then - echo $"ERROR: ngircd does not appear to have installed. $CHECK_MESSAGE" - exit 53 - fi - - if [ ! -f /etc/ssl/certs/ngircd.dhparam ]; then - ${PROJECT_NAME}-addcert -h ngircd --dhkey $DH_KEYLENGTH - check_certificates ngircd - fi - - DEFAULTDOMAIN=$DEFAULT_DOMAIN_NAME - if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - DEFAULTDOMAIN="${DEFAULT_DOMAIN_NAME}.local" - fi - - # create a login password if needed - if [ ! $IRC_PASSWORD ]; then - IRC_PASSWORD="$(openssl rand -base64 32 | cut -c1-${MINIMUM_PASSWORD_LENGTH})" - fi - - echo '**************************************************' > /etc/ngircd/motd - echo $'* F R E E D O M B O N E I R C *' >> /etc/ngircd/motd - echo '* *' >> /etc/ngircd/motd - echo $'* Freedom in the Cloud *' >> /etc/ngircd/motd - echo '**************************************************' >> /etc/ngircd/motd - sed -i 's|MotdFile = /etc/ngircd/ngircd.motd|MotdFile = /etc/ngircd/motd|g' /etc/ngircd/ngircd.conf - sed -i "s/irc@irc.example.com/$MY_EMAIL_ADDRESS/g" /etc/ngircd/ngircd.conf - sed -i "s/irc.example.net/$DEFAULTDOMAIN/g" /etc/ngircd/ngircd.conf - sed -i "s|Yet another IRC Server running on Debian GNU/Linux|IRC Server of $DEFAULTDOMAIN|g" /etc/ngircd/ngircd.conf - sed -i 's/;Password = wealllikedebian/Password =/g' /etc/ngircd/ngircd.conf - sed -i 's|;CertFile = /etc/ssl/certs/server.crt|CertFile = /etc/ssl/certs/ngircd.crt|g' /etc/ngircd/ngircd.conf - sed -i 's|;DHFile = /etc/ngircd/dhparams.pem|DHFile = /etc/ssl/certs/ngircd.dhparam|g' /etc/ngircd/ngircd.conf - sed -i 's|;KeyFile = /etc/ssl/private/server.key|KeyFile = /etc/ssl/private/ngircd.key|g' /etc/ngircd/ngircd.conf - sed -i "s/;Ports =.*/Ports = $IRC_PORT/1" /etc/ngircd/ngircd.conf - sed -i "s/;Ports =.*/Ports = $IRC_PORT/2" /etc/ngircd/ngircd.conf - sed -i "s/;Name = #ngircd/Name = #${PROJECT_NAME}/g" /etc/ngircd/ngircd.conf - sed -i "s/;Topic = Our ngircd testing channel/Topic = ${PROJECT_NAME} chat channel/g" /etc/ngircd/ngircd.conf - sed -i 's/;MaxUsers = 23/MaxUsers = 23/g' /etc/ngircd/ngircd.conf - sed -i "s|;KeyFile = /etc/ngircd/#chan.key|KeyFile = /etc/ngircd/#${PROJECT_NAME}.key|g" /etc/ngircd/ngircd.conf - sed -i "s/;CloakHost = cloaked.host/CloakHost = ${PROJECT_NAME}/g" /etc/ngircd/ngircd.conf - IRC_SALT="$(openssl rand -base64 32 | cut -c1-30)" - if [ -f $IMAGE_PASSWORD_FILE ]; then - IRC_OPERATOR_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)" - else - IRC_OPERATOR_PASSWORD="$(openssl rand -base64 30 | cut -c1-${MINIMUM_PASSWORD_LENGTH})" - fi - sed -i "s|;CloakHostSalt = abcdefghijklmnopqrstuvwxyz|CloakHostSalt = $IRC_SALT|g" /etc/ngircd/ngircd.conf - sed -i 's/;ConnectIPv4 = yes/ConnectIPv4 = yes/g' /etc/ngircd/ngircd.conf - sed -i 's/;MorePrivacy = no/MorePrivacy = yes/g' /etc/ngircd/ngircd.conf - sed -i 's/;RequireAuthPing = no/RequireAuthPing = no/g' /etc/ngircd/ngircd.conf - sed -i "s/;Name = TheOper/Name = $MY_USERNAME/g" /etc/ngircd/ngircd.conf - sed -i "s/;Password = ThePwd/Password = $IRC_OPERATOR_PASSWORD/g" /etc/ngircd/ngircd.conf - sed -i 's|;Listen =.*|Listen = 0.0.0.0,0.0.0.0:9050,127.0.0.1,127.0.0.1:9050|g' /etc/ngircd/ngircd.conf - if [ $IRC_PASSWORD ]; then - sed -i "0,/RE/s/Password =.*/Password =$IRC_PASSWORD/" /etc/ngircd/ngircd.conf - fi - # If we are on a mesh then DNS is not available - if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - sed -i "s/;DNS =.*/DNS = no/g" /etc/ngircd/ngircd.conf - fi - # upgrade a cypher - sed -i 's|SECURE128|SECURE256|g' /etc/ngircd/ngircd.conf - mkdir /var/run/ircd - chown -R irc:irc /var/run/ircd - mkdir /var/run/ngircd - touch /var/run/ngircd/ngircd.pid - chown -R irc:irc /var/run/ngircd - - IRC_ONION_HOSTNAME=$(add_onion_service irc ${IRC_PORT} ${IRC_ONION_PORT}) - if ! grep -q $"IRC onion domain" $COMPLETION_FILE; then - echo "IRC onion domain:$IRC_ONION_HOSTNAME" >> $COMPLETION_FILE - fi - - systemctl restart ngircd - - # keep the daemon running - echo '' >> /usr/bin/$WATCHDOG_SCRIPT_NAME - echo '# keep irc daemon running' >> /usr/bin/$WATCHDOG_SCRIPT_NAME - echo 'IRC_RUNNING=$(pgrep ngircd > /dev/null && echo Running)' >> /usr/bin/$WATCHDOG_SCRIPT_NAME - echo 'if [ ! $IRC_RUNNING ]; then' >> /usr/bin/$WATCHDOG_SCRIPT_NAME - echo ' systemctl start ngircd' >> /usr/bin/$WATCHDOG_SCRIPT_NAME - echo ' echo -n $CURRENT_DATE >> $LOGFILE' >> /usr/bin/$WATCHDOG_SCRIPT_NAME - echo ' echo " IRC daemon restarted" >> $LOGFILE' >> /usr/bin/$WATCHDOG_SCRIPT_NAME - echo 'fi' >> /usr/bin/$WATCHDOG_SCRIPT_NAME - - if ! grep -q $"IRC Server" /home/$MY_USERNAME/README; then - echo '' >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - echo $'IRC Server' >> /home/$MY_USERNAME/README - echo '==========' >> /home/$MY_USERNAME/README - echo $'To connect to your IRC server in irssi:' >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - if [[ $ONION_ONLY != 'yes' ]]; then - echo " irssi" >> /home/$MY_USERNAME/README - echo " /server add -auto -ssl $DEFAULTDOMAIN $IRC_PORT" >> /home/$MY_USERNAME/README - echo " /connect $DEFAULT_DOMAIN_NAME" >> /home/$MY_USERNAME/README - else - echo " usetorwith irssi" >> /home/$MY_USERNAME/README - echo " /server add -auto $IRC_ONION_HOSTNAME $IRC_PORT" >> /home/$MY_USERNAME/README - echo " /connect $IRC_ONION_HOSTNAME" >> /home/$MY_USERNAME/README - fi - echo " /join #${PROJECT_NAME}" >> /home/$MY_USERNAME/README - chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README - chmod 600 /home/$MY_USERNAME/README - fi - - echo 'install_irc_server' >> $COMPLETION_FILE -} - -function get_wiki_admin_password { - if [ -f /home/$MY_USERNAME/README ]; then - if grep -q "Wiki password" /home/$MY_USERNAME/README; then - WIKI_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "Wiki password:" | awk -F ':' '{print $2}' | sed 's/^ *//') - fi - fi -} - -function install_wiki { - if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MASH" ]]; then - return - fi - if grep -Fxq "install_wiki" $COMPLETION_FILE; then - return - fi - if [ ! $WIKI_DOMAIN_NAME ]; then - return - fi - apt-get -y install dokuwiki - apt-get -y remove --purge apache* - if [ -d /etc/apache2 ]; then - rm -rf /etc/apache2 - echo $'Removed Apache installation after Dokuwiki install' - fi - - if [ ! -d /var/www/$WIKI_DOMAIN_NAME ]; then - mkdir /var/www/$WIKI_DOMAIN_NAME - fi - if [ -d /var/www/$WIKI_DOMAIN_NAME/htdocs ]; then - rm -rf /var/www/$WIKI_DOMAIN_NAME/htdocs - fi - - ln -s /usr/share/dokuwiki /var/www/$WIKI_DOMAIN_NAME/htdocs - - mkdir /var/lib/dokuwiki/custom - cp /etc/dokuwiki/local.php.dist /var/lib/dokuwiki/custom/local.php - ln -s /var/lib/dokuwiki/custom/local.php /etc/dokuwiki/local.php - - chown www-data /var/lib/dokuwiki/custom - chown www-data /var/lib/dokuwiki/custom/local.php - chown -R www-data /etc/dokuwiki - chown -R www-data /usr/share/dokuwiki/lib/ - chmod 600 /var/lib/dokuwiki/custom/local.php - chmod -R 755 /usr/share/dokuwiki/lib - - sed -i 's|//$conf|$conf|g' /var/lib/dokuwiki/custom/local.php - sed -i "s|joe|$MY_USERNAME|g" /var/lib/dokuwiki/custom/local.php - - sed -i "s|Debian DokuWiki|$WIKI_TITLE|g" /etc/dokuwiki/local.php - - # set the admin user - sed -i "s/@admin/$MY_USERNAME/g" /etc/dokuwiki/local.php - - # disallow registration of new users - if ! grep -q "disableactions" /etc/dokuwiki/local.php; then - echo "\$conf['disableactions'] = 'register';" >> /etc/dokuwiki/local.php - fi - if ! grep -q "disableactions" /var/lib/dokuwiki/custom/local.php; then - echo "\$conf['disableactions'] = 'register';" >> /var/lib/dokuwiki/custom/local.php - fi - - if ! grep -q "authtype" /var/lib/dokuwiki/custom/local.php; then - echo "\$conf['authtype'] = 'authplain';" >> /var/lib/dokuwiki/custom/local.php - fi - if ! grep -q "authtype" /etc/dokuwiki/local.php; then - echo "\$conf['authtype'] = 'authplain';" >> /etc/dokuwiki/local.php - fi - - get_wiki_admin_password - if [ ! $WIKI_ADMIN_PASSWORD ]; then - if [ -f $IMAGE_PASSWORD_FILE ]; then - WIKI_ADMIN_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)" - else - WIKI_ADMIN_PASSWORD="$(openssl rand -base64 30 | cut -c1-${MINIMUM_PASSWORD_LENGTH})" - fi - fi - HASHED_WIKI_PASSWORD=$(echo -n "$WIKI_ADMIN_PASSWORD" | md5sum | awk -F ' ' '{print $1}') - echo -n "$MY_USERNAME:$HASHED_WIKI_PASSWORD:$MY_NAME:$MY_EMAIL:admin,user,upload" > /var/lib/dokuwiki/acl/users.auth.php - chmod 640 /var/lib/dokuwiki/acl/users.auth.php - - if ! grep -q "video/ogg" /etc/dokuwiki/mime.conf; then - echo 'ogv video/ogg' >> /etc/dokuwiki/mime.conf - fi - if ! grep -q "video/mp4" /etc/dokuwiki/mime.conf; then - echo 'mp4 video/mp4' >> /etc/dokuwiki/mime.conf - fi - if ! grep -q "video/webm" /etc/dokuwiki/mime.conf; then - echo 'webm video/webm' >> /etc/dokuwiki/mime.conf - fi - - WIKI_ONION_HOSTNAME=$(add_onion_service wiki 80 ${WIKI_ONION_PORT}) - - if [[ $ONION_ONLY == "no" ]]; then - echo 'server {' > /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' listen 80;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo " root /var/www/$WIKI_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo " server_name $WIKI_DOMAIN_NAME;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' access_log off;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo " error_log /var/log/nginx/${WIKI_DOMAIN_NAME}_error.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' index index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' charset utf-8;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' proxy_read_timeout 86400s;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - nginx_disable_sniffing $WIKI_DOMAIN_NAME - nginx_limits $WIKI_DOMAIN_NAME - echo ' # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' location / {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo " # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' allow all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # statically serve these file types when possible' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # otherwise fall back to front controller' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # allow browser to cache them' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' expires 30d;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # block these file types' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # or a unix socket' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' location ~* \.php$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # Zero-day exploit defense.' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo " # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo " # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo " # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo " # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # With php5-cgi alone:' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # With php5-fpm:' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' include fastcgi_params;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' fastcgi_index index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # deny access to all dot files' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' location ~ /\. {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' #deny access to store' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' location ~ /store {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' location ~ /(data|conf|bin|inc)/ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' location ~ /\.ht {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo '}' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo 'server {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' listen 443 ssl;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo " root /var/www/$WIKI_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo " server_name $WIKI_DOMAIN_NAME;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' access_log off;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo " error_log /var/log/nginx/${WIKI_DOMAIN_NAME}_error_ssl.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' index index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' charset utf-8;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' proxy_read_timeout 86400s;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - nginx_limits $WIKI_DOMAIN_NAME - nginx_ssl $WIKI_DOMAIN_NAME - nginx_disable_sniffing $WIKI_DOMAIN_NAME - echo ' add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # webmail' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' location /webmail {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' rewrite ^/(.*) /webmail/index.php last;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' rewrite ^/(.*) /webmail/installer/index.php last;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' location / {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo " # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' allow all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # statically serve these file types when possible' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # otherwise fall back to front controller' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # allow browser to cache them' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' expires 30d;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # block these file types' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # or a unix socket' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' location ~* \.php$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # Zero-day exploit defense.' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo " # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo " # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo " # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo " # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # With php5-cgi alone:' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # With php5-fpm:' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' include fastcgi_params;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' fastcgi_index index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # deny access to all dot files' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' location ~ /\. {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' #deny access to store' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' location ~ /store {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' location ~ /(data|conf|bin|inc)/ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' location ~ /\.ht {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo '}' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - else - echo -n '' > /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - fi - echo 'server {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo " listen 127.0.0.1:${WIKI_ONION_PORT} default_server;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo " root /var/www/$WIKI_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo " server_name $WIKI_ONION_HOSTNAME;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' access_log off;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo " error_log /var/log/nginx/${WIKI_DOMAIN_NAME}_error_ssl.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' index index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' charset utf-8;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' proxy_read_timeout 86400s;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - nginx_limits $WIKI_DOMAIN_NAME - nginx_disable_sniffing $WIKI_DOMAIN_NAME - echo ' add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' location / {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo " # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' allow all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # statically serve these file types when possible' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # otherwise fall back to front controller' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # allow browser to cache them' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' expires 30d;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # block these file types' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # or a unix socket' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' location ~* \.php$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # Zero-day exploit defense.' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo " # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo " # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo " # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo " # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # With php5-cgi alone:' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # With php5-fpm:' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' include fastcgi_params;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' fastcgi_index index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' # deny access to all dot files' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' location ~ /\. {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' #deny access to store' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' location ~ /store {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' location ~ /(data|conf|bin|inc)/ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' location ~ /\.ht {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - echo '}' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME - - create_site_certificate $WIKI_DOMAIN_NAME - - configure_php - - nginx_ensite $WIKI_DOMAIN_NAME - - systemctl restart php5-fpm - systemctl restart nginx - - echo "Wiki onion domain:${WIKI_ONION_HOSTNAME}" >> $COMPLETION_FILE - - add_ddns_domain $WIKI_DOMAIN_NAME - - # add some post-install instructions - if ! grep -q $"Wiki password" /home/$MY_USERNAME/README; then - echo '' >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - echo $'Wiki' >> /home/$MY_USERNAME/README - echo '====' >> /home/$MY_USERNAME/README - echo $"Wiki onion domain: ${WIKI_ONION_HOSTNAME}" >> /home/$MY_USERNAME/README - echo $"Wiki username: $MY_USERNAME" >> /home/$MY_USERNAME/README - echo $"Wiki password: $WIKI_ADMIN_PASSWORD" >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - echo $'Once you have set up the wiki then remove the install file:' >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - echo " rm /var/www/$WIKI_DOMAIN_NAME/htdocs/install.php" >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README - chmod 600 /home/$MY_USERNAME/README - fi - - echo "Wiki domain:$WIKI_DOMAIN_NAME" >> $COMPLETION_FILE - echo 'install_wiki' >> $COMPLETION_FILE -} - -function get_blog_admin_password { - if [ -f /home/$MY_USERNAME/README ]; then - if grep -q "Your blog password is" /home/$MY_USERNAME/README; then - FULLBLOG_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "Your blog password is" | awk -F ':' '{print $2}' | sed 's/^ *//') - fi - fi -} - -function install_blog { - if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - if [ ! $FULLBLOG_DOMAIN_NAME ]; then - echo $'The blog domain name was not specified' - exit 5062 - fi - - # update to the next commit - set_repo_commit /var/www/$FULLBLOG_DOMAIN_NAME/htdocs "Blog commit" "$FULLBLOG_COMMIT" $FULLBLOG_REPO - - if grep -Fxq "install_blog" $COMPLETION_FILE; then - return - fi - - # for the avatar changing command - apt-get -y install imagemagick - - if [ ! -d /var/www/$FULLBLOG_DOMAIN_NAME ]; then - mkdir /var/www/$FULLBLOG_DOMAIN_NAME - fi - - cd /var/www/$FULLBLOG_DOMAIN_NAME - git_clone $FULLBLOG_REPO htdocs - cd htdocs - git checkout $FULLBLOG_COMMIT -b $FULLBLOG_COMMIT - if ! grep -q "Blog commit" $COMPLETION_FILE; then - echo "Blog commit:$FULLBLOG_COMMIT" >> $COMPLETION_FILE - else - sed -i "s/Blog commit.*/Blog commit:$FULLBLOG_COMMIT/g" $COMPLETION_FILE - fi - cd /var/www/$FULLBLOG_DOMAIN_NAME - - chown -R www-data:www-data /var/www/$FULLBLOG_DOMAIN_NAME/htdocs - - if [[ $ONION_ONLY == "no" ]]; then - nginx_http_redirect $FULLBLOG_DOMAIN_NAME - echo 'server {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' listen 443 ssl;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo " root /var/www/$FULLBLOG_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo " server_name $FULLBLOG_DOMAIN_NAME;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' access_log off;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo " error_log /var/log/nginx/${FULLBLOG_DOMAIN_NAME}_error_ssl.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' index index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' charset utf-8;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' proxy_read_timeout 86400s;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - nginx_limits $FULLBLOG_DOMAIN_NAME - nginx_ssl $FULLBLOG_DOMAIN_NAME - nginx_disable_sniffing $FULLBLOG_DOMAIN_NAME - echo ' add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' location / {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo " # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' allow all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' # statically serve these file types when possible' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' # otherwise fall back to front controller' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' # allow browser to cache them' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' expires 30d;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' # block these file types' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' # or a unix socket' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' location ~* \.php$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' # Zero-day exploit defense.' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo " # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo " # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo " # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo " # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' # With php5-cgi alone:' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' # With php5-fpm:' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' include fastcgi_params;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' fastcgi_index index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' # deny access to all dot files' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' location ~ /\. {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' #deny access to store' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' location ~ /store {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' location ~ /(data|conf|bin|inc)/ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' location ~ /\.ht {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo '}' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - else - echo -n '' > /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - fi - echo 'server {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo " listen 127.0.0.1:${FULLBLOG_ONION_PORT} default_server;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo " root /var/www/$FULLBLOG_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo " server_name $FULLBLOG_DOMAIN_NAME;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' access_log off;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo " error_log /var/log/nginx/${FULLBLOG_DOMAIN_NAME}_error_ssl.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' index index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' charset utf-8;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' proxy_read_timeout 86400s;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - nginx_limits $FULLBLOG_DOMAIN_NAME - nginx_disable_sniffing $FULLBLOG_DOMAIN_NAME - echo ' add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' location / {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo " # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' allow all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' # statically serve these file types when possible' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' # otherwise fall back to front controller' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' # allow browser to cache them' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' expires 30d;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' # block these file types' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' # or a unix socket' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' location ~* \.php$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' # Zero-day exploit defense.' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo " # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo " # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo " # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo " # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' # With php5-cgi alone:' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' # With php5-fpm:' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' include fastcgi_params;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' fastcgi_index index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' # deny access to all dot files' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' location ~ /\. {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' #deny access to store' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' location ~ /store {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' location ~ /(data|conf|bin|inc)/ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' location ~ /\.ht {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - echo '}' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME - - create_site_certificate $FULLBLOG_DOMAIN_NAME 'yes' - - configure_php - - # blog settings - cp /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini.example /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini - sed -i "s|site.url.*|site.url = '/'|g" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini - sed -i "s|blog.title.*|blog.title = '$MY_BLOG_TITLE'|g" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini - sed -i "s|blog.tagline.*|blog.tagline = '$MY_BLOG_SUBTITLE'|g" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini - sed -i 's|timezone.*|timezone = "Europe/London"|g' /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini - sed -i "s|Your name|$MY_NAME|g" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini - - # set social networks - if grep -q "social.hubzilla" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini; then - sed -i "s|;social.hubzilla|social.hubzilla|g" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini - sed -i "s|social.hubzilla.*|social.hubzilla = \"$HUBZILLA_DOMAIN_NAME\"|g" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini - fi - if grep -q "social.gnusocial" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini; then - sed -i "s|;social.gnusocial|social.gnusocial|g" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini - sed -i "s|social.gnusocial.*|social.gnusocial = \"$MICROBLOG_DOMAIN_NAME\"|g" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini - fi - - # clear proprietary social network strings - sed -i 's|social.facebook.*|social.facebook = ""|g' /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini - sed -i 's|social.twitter.*|social.twitter = ""|g' /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini - sed -i 's|social.google.*|social.google = ""|g' /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini - - # create a user password - get_blog_admin_password - if [ ! $FULLBLOG_ADMIN_PASSWORD ]; then - if [ -f $IMAGE_PASSWORD_FILE ]; then - FULLBLOG_ADMIN_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)" - else - FULLBLOG_ADMIN_PASSWORD="$(openssl rand -base64 30 | cut -c1-${MINIMUM_PASSWORD_LENGTH})" - fi - echo '' >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - echo $'HTMLy Blog' >> /home/$MY_USERNAME/README - echo '==========' >> /home/$MY_USERNAME/README - echo $"Your blog username: $MY_USERNAME" >> /home/$MY_USERNAME/README - echo $"Your blog password is: $FULLBLOG_ADMIN_PASSWORD" >> /home/$MY_USERNAME/README - if [[ $ONION_ONLY == 'no' ]]; then - echo $"Log into your blog at https://$FULLBLOG_DOMAIN_NAME/login" >> /home/$MY_USERNAME/README - fi - chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README - chmod 600 /home/$MY_USERNAME/README - fi - - # create a user - FULLBLOG_ADMIN_PASSWORD_HASH=$(freedombone-sec --bloghash "$FULLBLOG_ADMIN_PASSWORD") - if [ ${#FULLBLOG_ADMIN_PASSWORD_HASH} -lt 8 ]; then - echo $'Blog admin password could not be hashed' - exit 625728 - fi - echo ';Password' > /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini - echo "password = $FULLBLOG_ADMIN_PASSWORD_HASH" >> /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini - echo 'encryption = password_hash' >> /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini - echo ';Role' >> /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini - echo 'role = admin' >> /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini - - nginx_ensite $FULLBLOG_DOMAIN_NAME - - FULLBLOG_ONION_HOSTNAME=$(add_onion_service blog 80 ${FULLBLOG_ONION_PORT}) - - systemctl restart php5-fpm - systemctl restart nginx - - if ! grep -q "Blog onion domain" /home/$MY_USERNAME/README; then - echo $"Blog onion domain: ${FULLBLOG_ONION_HOSTNAME}" >> /home/$MY_USERNAME/README - echo $"Log into your blog at https://${FULLBLOG_ONION_HOSTNAME}/login" >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README - chmod 600 /home/$MY_USERNAME/README - fi - echo "Blog onion domain:${FULLBLOG_ONION_HOSTNAME}" >> $COMPLETION_FILE - - add_ddns_domain $FULLBLOG_DOMAIN_NAME - - echo 'install_blog' >> $COMPLETION_FILE -} - -function install_rss_reader { - if [[ $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - - # update to the next commit - set_repo_commit $RSS_READER_PATH "RSS reader commit" "$RSS_READER_COMMIT" $RSS_READER_REPO - - if grep -Fxq "install_rss_reader" $COMPLETION_FILE; then - return - fi - - apt-get -y install php-gettext php5-curl php5-gd php5-mysql git curl php-xml-parser - - if [ ! -d /etc/share ]; then - mkdir /etc/share - fi - cd /etc/share - git_clone $RSS_READER_REPO tt-rss - if [ ! -d $RSS_READER_PATH ]; then - echo $'Could not clone RSS reader repo' - exit 52925 - fi - cd $RSS_READER_PATH - git checkout $RSS_READER_COMMIT -b $RSS_READER_COMMIT - if ! grep -q "RSS reader commit" $COMPLETION_FILE; then - echo "RSS reader commit:$RSS_READER_COMMIT" >> $COMPLETION_FILE - fi - - install_mariadb - get_mariadb_password - repair_databases_script - - get_mariadb_rss_reader_admin_password - if [ ! $RSS_READER_ADMIN_PASSWORD ]; then - if [ -f $IMAGE_PASSWORD_FILE ]; then - RSS_READER_ADMIN_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)" - else - RSS_READER_ADMIN_PASSWORD="$(openssl rand -base64 32 | cut -c1-${MINIMUM_PASSWORD_LENGTH})" - fi - fi - - create_database ttrss "$RSS_READER_ADMIN_PASSWORD" $MY_USERNAME - - RSS_READER_ONION_HOSTNAME=$(add_onion_service ttrss 80 ${RSS_READER_ONION_PORT}) - RSS_MOBILE_READER_ONION_HOSTNAME=$(add_onion_service ttrss 80 ${RSS_MOBILE_READER_ONION_PORT}) - - echo 'server {' > /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo " listen 127.0.0.1:$RSS_MOBILE_READER_ONION_PORT;" >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo " server_name $RSS_MOBILE_READER_ONION_HOSTNAME;" >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' access_log off;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' error_log off;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' root /etc/share/ttrss-mobile;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' index index.html index.php;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' location ~ \.php {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' include snippets/fastcgi-php.conf;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' location / {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' try_files $uri $uri/ @ttrss;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' location /tt-rss {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' try_files $uri $uri/ @ttrss_base;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' location @ttrss {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' rewrite ^(.*)$ /index.html?p=$1 last;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' location @ttrss_base {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' rewrite ^(.*)$ /index.php?p=$1 last;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' location ~ /\.(git) {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' deny all;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' client_max_body_size 15m;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo '}' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo 'server {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo " listen 127.0.0.1:$RSS_READER_ONION_PORT default_server;" >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo " server_name $RSS_READER_ONION_HOSTNAME;" >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' access_log off;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' error_log off;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' root /etc/share/tt-rss;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' index index.php;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' location ~ \.php {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' include snippets/fastcgi-php.conf;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' set $mobile_rewrite do_not_perform;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' ## chi http_user_agent for mobile / smart phones ##' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' if ($http_user_agent ~* "(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows (ce|phone)|xda|xiino") {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' set $mobile_rewrite perform;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' if ($http_user_agent ~* "^(1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-)") {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' set $mobile_rewrite perform;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' if ($mobile_rewrite = perform) {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo " rewrite ^/(.*) http://$RSS_MOBILE_READER_ONION_HOSTNAME permanent;" >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' break;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' location ~ \.php {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' include snippets/fastcgi-php.conf;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' location / {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' try_files $uri $uri/ @ttrss;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' location @ttrss {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' rewrite ^(.*)$ /index.php?p=$1 last;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' location ~ /\.(git) {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' deny all;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo ' client_max_body_size 15m;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - echo '}' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME - - if [ ! -f $RSS_READER_PATH/config.php ]; then - # generate a config file - RSS_FEED_CRYPT_KEY="$(openssl rand -base64 26 | cut -c1-24)" - echo ' $RSS_READER_PATH/config.php - echo " define ('_CURL_HTTP_PROXY', '127.0.0.1:9050');" >> $RSS_READER_PATH/config.php - echo " define('DB_TYPE', 'mysql');" >> $RSS_READER_PATH/config.php - echo " define('DB_HOST', 'localhost');" >> $RSS_READER_PATH/config.php - echo " define('DB_USER', 'root');" >> $RSS_READER_PATH/config.php - echo " define('DB_NAME', 'ttrss');" >> $RSS_READER_PATH/config.php - echo " define('DB_PASS', '${MARIADB_PASSWORD}');" >> $RSS_READER_PATH/config.php - echo " define('DB_PORT', '3306');" >> $RSS_READER_PATH/config.php - echo " define('MYSQL_CHARSET', 'UTF8');" >> $RSS_READER_PATH/config.php - echo " define('SELF_URL_PATH', 'http://${RSS_READER_ONION_HOSTNAME}/');" >> $RSS_READER_PATH/config.php - echo " define('FEED_CRYPT_KEY', '${RSS_FEED_CRYPT_KEY}');" >> $RSS_READER_PATH/config.php - echo " define('SINGLE_USER_MODE', false);" >> $RSS_READER_PATH/config.php - echo " define('SIMPLE_UPDATE_MODE', false);" >> $RSS_READER_PATH/config.php - echo " define('PHP_EXECUTABLE', '/usr/bin/php');" >> $RSS_READER_PATH/config.php - echo " define('LOCK_DIRECTORY', 'lock');" >> $RSS_READER_PATH/config.php - echo " define('CACHE_DIR', 'cache');" >> $RSS_READER_PATH/config.php - echo " define('ICONS_DIR', \"feed-icons\");" >> $RSS_READER_PATH/config.php - echo " define('ICONS_URL', \"feed-icons\");" >> $RSS_READER_PATH/config.php - echo " define('AUTH_AUTO_CREATE', true);" >> $RSS_READER_PATH/config.php - echo " define('AUTH_AUTO_LOGIN', true);" >> $RSS_READER_PATH/config.php - echo " define('FORCE_ARTICLE_PURGE', 0);" >> $RSS_READER_PATH/config.php - echo " define('PUBSUBHUBBUB_HUB', '');" >> $RSS_READER_PATH/config.php - echo " define('PUBSUBHUBBUB_ENABLED', false);" >> $RSS_READER_PATH/config.php - echo " define('SPHINX_SERVER', 'localhost:9312');" >> $RSS_READER_PATH/config.php - echo " define('SPHINX_INDEX', 'ttrss, delta');" >> $RSS_READER_PATH/config.php - echo " define('ENABLE_REGISTRATION', false);" >> $RSS_READER_PATH/config.php - echo " define('REG_NOTIFY_ADDRESS', '${MY_EMAIL_ADDRESS}');" >> $RSS_READER_PATH/config.php - echo " define('REG_MAX_USERS', 10);" >> $RSS_READER_PATH/config.php - echo " define('SESSION_COOKIE_LIFETIME', 86400);" >> $RSS_READER_PATH/config.php - echo " define('SMTP_FROM_NAME', 'Tiny Tiny RSS');" >> $RSS_READER_PATH/config.php - echo " define('SMTP_FROM_ADDRESS', 'noreply@${RSS_READER_ONION_HOSTNAME}');" >> $RSS_READER_PATH/config.php - echo " define('DIGEST_SUBJECT', '[tt-rss] New headlines for last 24 hours');" >> $RSS_READER_PATH/config.php - echo " define('SMTP_SERVER', '');" >> $RSS_READER_PATH/config.php - echo " define('SMTP_LOGIN', '');" >> $RSS_READER_PATH/config.php - echo " define('SMTP_PASSWORD', '');" >> $RSS_READER_PATH/config.php - echo " define('SMTP_SECURE', '');" >> $RSS_READER_PATH/config.php - echo " define('CHECK_FOR_UPDATES', false);" >> $RSS_READER_PATH/config.php - echo " define('ENABLE_GZIP_OUTPUT', false);" >> $RSS_READER_PATH/config.php - echo " define('PLUGINS', 'auth_internal, note, gnusocial');" >> $RSS_READER_PATH/config.php - echo " define('LOG_DESTINATION', 'sql');" >> $RSS_READER_PATH/config.php - echo " define('CONFIG_VERSION', 26);" >> $RSS_READER_PATH/config.php - fi - - # initialize the database - if [ ! -f $RSS_READER_PATH/schema/ttrss_schema_mysql.sql ]; then - echo $'No database schema found for rss reader' - exit 52926 - fi - mysql -u root --password="$MARIADB_PASSWORD" -D ttrss < $RSS_READER_PATH/schema/ttrss_schema_mysql.sql - - # change the password from the default - RSS_READER_ADMIN_PASSWORD_HASH=$(echo -n "${RSS_READER_ADMIN_PASSWORD}" | sha1sum | awk -F ' ' '{print $1}') - mysql -u root --password="$MARIADB_PASSWORD" -e "update ttrss_users set pwd_hash = 'SHA1:${RSS_READER_ADMIN_PASSWORD_HASH}', salt= '' WHERE login = 'admin';" ttrss - - rss_reader_modifications - - configure_php - - nginx_ensite $RSS_READER_DOMAIN_NAME - systemctl restart php5-fpm - systemctl restart nginx - - if ! grep -q "RSS reader onion domain" $COMPLETION_FILE; then - echo "RSS reader onion domain:${RSS_READER_ONION_HOSTNAME}" >> $COMPLETION_FILE - fi - if ! grep -q "RSS reader domain" $COMPLETION_FILE; then - echo "RSS reader domain:${RSS_READER_DOMAIN_NAME}" >> $COMPLETION_FILE - fi - - # daemon to update feeds - echo '[Unit]' > /etc/systemd/system/ttrss.service - echo 'Description=ttrss_backend' >> /etc/systemd/system/ttrss.service - echo 'After=network.target mysql.service' >> /etc/systemd/system/ttrss.service - echo 'After=tor.service' >> /etc/systemd/system/ttrss.service - echo '' >> /etc/systemd/system/ttrss.service - echo '[Service]' >> /etc/systemd/system/ttrss.service - echo 'User=www-data' >> /etc/systemd/system/ttrss.service - echo "ExecStart=/usr/bin/php $RSS_READER_PATH/update.php --daemon" >> /etc/systemd/system/ttrss.service - echo '' >> /etc/systemd/system/ttrss.service - echo '[Install]' >> /etc/systemd/system/ttrss.service - echo 'WantedBy=multi-user.target' >> /etc/systemd/system/ttrss.service - systemctl enable ttrss - systemctl daemon-reload - systemctl start ttrss - - # some post-install instructions for the user - if ! grep -q $"RSS Reader" /home/$MY_USERNAME/README; then - echo '' >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - echo $'RSS Reader' >> /home/$MY_USERNAME/README - echo '==========' >> /home/$MY_USERNAME/README - echo $"RSS reader domain: ${RSS_READER_DOMAIN_NAME}" >> /home/$MY_USERNAME/README - echo $"RSS reader onion domain: ${RSS_READER_ONION_HOSTNAME}" >> /home/$MY_USERNAME/README - echo $"RSS reader admin username: admin" >> /home/$MY_USERNAME/README - echo $"RSS reader admin password: ${RSS_READER_ADMIN_PASSWORD}" >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README - chmod 600 /home/$MY_USERNAME/README - fi - - echo 'install_rss_reader' >> $COMPLETION_FILE -} - -function install_rss_reader_gnusocial { - if [[ $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - - if [ ! $MICROBLOG_DOMAIN_NAME ]; then - return - fi - - if [ ! $RSS_READER_PATH ]; then - RSS_READER_PATH=/etc/share/tt-rss - fi - RSS_READER_GNUSOCIAL_PATH=${RSS_READER_PATH}/plugins/gnusocial - - # update to the next commit - set_repo_commit $RSS_READER_GNUSOCIAL_PATH "RSS reader gnusocial commit" "$RSS_READER_GNUSOCIAL_COMMIT" $RSS_READER_GNUSOCIAL_REPO - chown -R www-data:www-data $RSS_READER_GNUSOCIAL_PATH - - if grep -Fxq "install_rss_reader_gnusocial" $COMPLETION_FILE; then - return - fi - - if [ ! -d $INSTALL_DIR ]; then - mkdir -p $INSTALL_DIR - fi - - cd $INSTALL_DIR - git_clone $RSS_READER_GNUSOCIAL_REPO ttrss-gnusocial - if [ ! -d $INSTALL_DIR/ttrss-gnusocial ]; then - echo $'Could not clone repo for RSS reader GNU Social plugin' - exit 52838 - fi - cp -r $INSTALL_DIR/ttrss-gnusocial $RSS_READER_GNUSOCIAL_PATH - cd $RSS_READER_GNUSOCIAL_PATH - git checkout $RSS_READER_GNUSOCIAL_COMMIT -b $RSS_READER_GNUSOCIAL_COMMIT - if ! grep -q "RSS reader gnusocial commit" $COMPLETION_FILE; then - echo "RSS reader gnusocial commit:$RSS_READER_GNUSOCIAL_COMMIT" >> $COMPLETION_FILE - fi - chown -R www-data:www-data $RSS_READER_GNUSOCIAL_PATH - - echo 'install_rss_reader_gnusocial' >> $COMPLETION_FILE -} - -function install_rss_mobile_reader { - if [[ $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - - if [ ! $RSS_READER_PATH ]; then - RSS_READER_PATH=/etc/share/tt-rss - fi - - if [ ! -d $RSS_READER_PATH ]; then - echo $'tt-rss is not installed, so the mobile version cannot be installed' - exit 63452 - fi - - RSS_MOBILE_READER_PATH=/etc/share/ttrss-mobile - - # remove any previous install - if [ -d $RSS_READER_PATH/g2ttree-mobile ]; then - if grep -Fxq "install_rss_mobile_reader" $COMPLETION_FILE; then - sed -i '/install_rss_mobile_reader/d' $COMPLETION_FILE - sed -i '/RSS mobile reader commit/d' $COMPLETION_FILE - rm -rf $RSS_READER_PATH/g2ttree-mobile - fi - fi - - # update to the next commit - set_repo_commit $RSS_MOBILE_READER_PATH "RSS mobile reader commit" "$RSS_MOBILE_READER_COMMIT" $RSS_MOBILE_READER_REPO - - if grep -Fxq "install_rss_mobile_reader" $COMPLETION_FILE; then - return - fi - - cd /etc/share - git_clone $RSS_MOBILE_READER_REPO ttrss-mobile - if [ ! -d $RSS_MOBILE_READER_PATH ]; then - echo $'Could not clone RSS mobile reader repo' - exit 24816 - fi - cd $RSS_MOBILE_READER_PATH - git checkout $RSS_MOBILE_READER_COMMIT -b $RSS_MOBILE_READER_COMMIT - if ! grep -q "RSS mobile reader commit" $COMPLETION_FILE; then - echo "RSS mobile reader commit:$RSS_MOBILE_READER_COMMIT" >> $COMPLETION_FILE - fi - - echo 'define({' > $RSS_MOBILE_READER_PATH/scripts/conf.js - echo ' apiPath: "/tt-rss/"' >> $RSS_MOBILE_READER_PATH/scripts/conf.js - echo '});' >> $RSS_MOBILE_READER_PATH/scripts/conf.js - - # link to the main site - ln -s $RSS_READER_PATH $RSS_MOBILE_READER_PATH/tt-rss - - chown -R www-data:www-data $RSS_MOBILE_READER_PATH - chown -R www-data:www-data $RSS_READER_PATH - chmod a+x $RSS_MOBILE_READER_PATH - - echo 'install_rss_mobile_reader' >> $COMPLETION_FILE -} - -function install_gnu_social { - if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - if [ ! $MICROBLOG_DOMAIN_NAME ]; then - echo $'No domain name was given for the microblog' - exit 7359 - fi - - # update to the next commit - set_repo_commit /var/www/$MICROBLOG_DOMAIN_NAME/htdocs "GNU Social commit" "$MICROBLOG_COMMIT" $MICROBLOG_REPO - - # add a script to check that the daemon is running - echo '#!/bin/bash' > /etc/cron.hourly/gnusocial-daemons - echo 'daemon_lines=$(ps aux | grep "scripts/queuedaemon.php" | grep "/var/www")' >> /etc/cron.hourly/gnusocial-daemons - echo 'if [[ $daemon_lines != *"/var/www/"* ]]; then' >> /etc/cron.hourly/gnusocial-daemons - - echo " ADMIN_USER=\$(cat $COMPLETION_FILE | grep 'Admin user' | awk -F ':' '{print \$2}')" >> /etc/cron.hourly/gnusocial-daemons - echo ' MY_EMAIL_ADDRESS=$ADMIN_USER@$HOSTNAME' >> /etc/cron.hourly/gnusocial-daemons - echo ' echo "Restarting GNU Social daemons" | mail -s "GNU Social daemons not found" $MY_EMAIL_ADDRESS' >> /etc/cron.hourly/gnusocial-daemons - echo " cd /var/www/${MICROBLOG_DOMAIN_NAME}/htdocs" >> /etc/cron.hourly/gnusocial-daemons - echo ' scripts/startdaemons.sh' >> /etc/cron.hourly/gnusocial-daemons - echo 'fi' >> /etc/cron.hourly/gnusocial-daemons - chmod +x /etc/cron.hourly/gnusocial-daemons - - if grep -Fxq "install_gnu_social" $COMPLETION_FILE; then - return - fi - - install_mariadb - get_mariadb_password - repair_databases_script - - apt-get -y install php-gettext php5-curl php5-gd php5-mysql git curl php-xml-parser - apt-get -y install php5-memcached - - if [ ! -d /var/www/$MICROBLOG_DOMAIN_NAME ]; then - mkdir /var/www/$MICROBLOG_DOMAIN_NAME - fi - if [ ! -d /var/www/$MICROBLOG_DOMAIN_NAME/htdocs ]; then - git_clone $MICROBLOG_REPO /var/www/$MICROBLOG_DOMAIN_NAME/htdocs - if [ ! -d /var/www/$MICROBLOG_DOMAIN_NAME/htdocs ]; then - echo $'Unable to clone gnusocial repo' - exit 87525 - fi - fi - - cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs - git checkout $MICROBLOG_COMMIT -b $MICROBLOG_COMMIT - if ! grep -q "GNU Social commit" $COMPLETION_FILE; then - echo "GNU Social commit:$MICROBLOG_COMMIT" >> $COMPLETION_FILE - else - sed -i "s/GNU Social commit.*/GNU Social commit:$MICROBLOG_COMMIT/g" $COMPLETION_FILE - fi - - chmod a+w /var/www/$MICROBLOG_DOMAIN_NAME/htdocs - chown www-data:www-data /var/www/$MICROBLOG_DOMAIN_NAME/htdocs - chmod +x /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/scripts/maildaemon.php - - get_mariadb_gnusocial_admin_password - if [ ! $MICROBLOG_ADMIN_PASSWORD ]; then - if [ -f $IMAGE_PASSWORD_FILE ]; then - MICROBLOG_ADMIN_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)" - else - MICROBLOG_ADMIN_PASSWORD="$(openssl rand -base64 32 | cut -c1-${MINIMUM_PASSWORD_LENGTH})" - fi - fi - - create_database gnusocial "$MICROBLOG_ADMIN_PASSWORD" $MY_USERNAME - - if [ ! -f "/etc/aliases" ]; then - touch /etc/aliases - fi - if ! grep -q "www-data: root" /etc/aliases; then - echo 'www-data: root' >> /etc/aliases - fi - if ! grep -q "/var/www/$MICROBLOG_DOMAIN_NAME/htdocs/scripts/maildaemon.php" /etc/aliases; then - echo "*: /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/scripts/maildaemon.php" >> /etc/aliases - fi - - add_ddns_domain $MICROBLOG_DOMAIN_NAME - - microblog_nginx_site=/etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME - if [[ $ONION_ONLY == "no" ]]; then - nginx_http_redirect $MICROBLOG_DOMAIN_NAME - echo 'server {' >> $microblog_nginx_site - echo ' listen 443 ssl;' >> $microblog_nginx_site - echo " server_name $MICROBLOG_DOMAIN_NAME;" >> $microblog_nginx_site - echo '' >> $microblog_nginx_site - echo ' # Security' >> $microblog_nginx_site - nginx_ssl $MICROBLOG_DOMAIN_NAME - nginx_disable_sniffing $MICROBLOG_DOMAIN_NAME - nginx_limits $MICROBLOG_DOMAIN_NAME '15m' - echo ' add_header Strict-Transport-Security max-age=15768000;' >> $microblog_nginx_site - echo '' >> $microblog_nginx_site - echo ' # Logs' >> $microblog_nginx_site - echo ' access_log off;' >> $microblog_nginx_site - echo ' error_log off;' >> $microblog_nginx_site - echo '' >> $microblog_nginx_site - echo ' # Root' >> $microblog_nginx_site - echo " root /var/www/$MICROBLOG_DOMAIN_NAME/htdocs;" >> $microblog_nginx_site - echo '' >> $microblog_nginx_site - echo ' # Index' >> $microblog_nginx_site - echo ' index index.php;' >> $microblog_nginx_site - echo '' >> $microblog_nginx_site - echo ' # PHP' >> $microblog_nginx_site - echo ' location ~ \.php {' >> $microblog_nginx_site - echo ' include snippets/fastcgi-php.conf;' >> $microblog_nginx_site - echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> $microblog_nginx_site - echo ' }' >> $microblog_nginx_site - echo '' >> $microblog_nginx_site - echo ' # Location' >> $microblog_nginx_site - echo ' location / {' >> $microblog_nginx_site - echo ' try_files $uri $uri/ @gnusocial;' >> $microblog_nginx_site - echo ' }' >> $microblog_nginx_site - echo '' >> $microblog_nginx_site - echo ' # Fancy URLs' >> $microblog_nginx_site - echo ' location @gnusocial {' >> $microblog_nginx_site - echo ' rewrite ^(.*)$ /index.php?p=$1 last;' >> $microblog_nginx_site - echo ' }' >> $microblog_nginx_site - echo '' >> $microblog_nginx_site - echo ' # Restrict access that is unnecessary anyway' >> $microblog_nginx_site - echo ' location ~ /\.(ht|git) {' >> $microblog_nginx_site - echo ' deny all;' >> $microblog_nginx_site - echo ' }' >> $microblog_nginx_site - echo '}' >> $microblog_nginx_site - else - echo -n '' > $microblog_nginx_site - fi - echo 'server {' >> $microblog_nginx_site - echo " listen 127.0.0.1:$MICROBLOG_ONION_PORT default_server;" >> $microblog_nginx_site - echo " server_name $MICROBLOG_DOMAIN_NAME;" >> $microblog_nginx_site - echo '' >> $microblog_nginx_site - nginx_disable_sniffing $MICROBLOG_DOMAIN_NAME - nginx_limits $MICROBLOG_DOMAIN_NAME '15m' - echo '' >> $microblog_nginx_site - echo ' # Logs' >> $microblog_nginx_site - echo ' access_log off;' >> $microblog_nginx_site - echo ' error_log off;' >> $microblog_nginx_site - echo '' >> $microblog_nginx_site - echo ' # Root' >> $microblog_nginx_site - echo " root /var/www/$MICROBLOG_DOMAIN_NAME/htdocs;" >> $microblog_nginx_site - echo '' >> $microblog_nginx_site - echo ' # Index' >> $microblog_nginx_site - echo ' index index.php;' >> $microblog_nginx_site - echo '' >> $microblog_nginx_site - echo ' # PHP' >> $microblog_nginx_site - echo ' location ~ \.php {' >> $microblog_nginx_site - echo ' include snippets/fastcgi-php.conf;' >> $microblog_nginx_site - echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> $microblog_nginx_site - echo ' }' >> $microblog_nginx_site - echo '' >> $microblog_nginx_site - echo ' # Location' >> $microblog_nginx_site - echo ' location / {' >> $microblog_nginx_site - echo ' try_files $uri $uri/ @gnusocial;' >> $microblog_nginx_site - echo ' }' >> $microblog_nginx_site - echo '' >> $microblog_nginx_site - echo ' # Fancy URLs' >> $microblog_nginx_site - echo ' location @gnusocial {' >> $microblog_nginx_site - echo ' rewrite ^(.*)$ /index.php?p=$1 last;' >> $microblog_nginx_site - echo ' }' >> $microblog_nginx_site - echo '' >> $microblog_nginx_site - echo ' # Restrict access that is unnecessary anyway' >> $microblog_nginx_site - echo ' location ~ /\.(ht|git) {' >> $microblog_nginx_site - echo ' deny all;' >> $microblog_nginx_site - echo ' }' >> $microblog_nginx_site - echo '}' >> $microblog_nginx_site - - configure_php - - create_site_certificate $MICROBLOG_DOMAIN_NAME 'yes' - - # Ensure that the database gets backed up locally, if remote - # backups are not being used - backup_databases_script_header - - backup_database_local gnusocial - - nginx_ensite $MICROBLOG_DOMAIN_NAME - - # NOTE: For the typical case always enable SSL and only - # disable it if in onion only mode. This is due to complexities - # with the way URLs are generated by GNU Social - gnu_social_ssl='always' - if [[ $ONION_ONLY != 'no' ]]; then - gnu_social_ssl='never' - fi - - MICROBLOG_ONION_HOSTNAME=$(add_onion_service microblog 80 ${MICROBLOG_ONION_PORT}) - - MICROBLOG_SERVER=${MICROBLOG_DOMAIN_NAME} - if [[ $ONION_ONLY != 'no' ]]; then - MICROBLOG_SERVER=${MICROBLOG_ONION_HOSTNAME} - fi - - # Create the configuration - gnu_social_installer=/var/www/${MICROBLOG_DOMAIN_NAME}/htdocs/scripts/install_cli.php - if [ ! -f $gnu_social_installer ]; then - echo $'No GNU Social commandline installer found' - exit 53026 - fi - ${gnu_social_installer} --server "${MICROBLOG_SERVER}" \ - --host="localhost" --database="gnusocial" \ - --dbtype=mysql --username="root" -v \ - --password="$MARIADB_PASSWORD" \ - --sitename=$"GNU Social" --fancy='yes' \ - --admin-nick="$MY_USERNAME" \ - --admin-pass="$MICROBLOG_ADMIN_PASSWORD" \ - --site-profile="community" \ - --ssl=${gnu_social_ssl} - # There can be a lot of warnings here so the return value check is disabled - #if [ ! "$?" = "0" ]; then - # # failed to install - # echo $'Could not install GNU Social' - # exit 72357 - #fi - - # check microblog has a config file - microblog_config_file=/var/www/$MICROBLOG_DOMAIN_NAME/htdocs/config.php - if [ ! -f $microblog_config_file ]; then - echo $'Microblog config.php not found' - exit 87586 - fi - - # Some useful settings - if ! grep -q "Recommended GNU social settings" $microblog_config_file; then - echo "" >> $microblog_config_file - echo "// Recommended GNU social settings" >> $microblog_config_file - echo "\$config['thumbnail']['maxsize'] = 3000;" >> $microblog_config_file - echo "\$config['profile']['delete'] = true;" >> $microblog_config_file - echo "\$config['profile']['changenick'] = true;" >> $microblog_config_file - echo "\$config['public']['localonly'] = false;" >> $microblog_config_file - echo "addPlugin('StoreRemoteMedia');" >> $microblog_config_file - echo "\$config['queue']['enabled'] = true;" >> $microblog_config_file - echo "\$config['queue']['daemon'] = true;" >> $microblog_config_file - fi - - # This improves performance - sed -i "s|//\$config\['db'\]\['schemacheck'\].*|\$config\['db'\]\['schemacheck'\] = 'script';|g" $microblog_config_file - - systemctl restart php5-fpm - systemctl restart nginx - - freedombone-addemail -u $MY_USERNAME -e "noreply@$MICROBLOG_DOMAIN_NAME" -g gnusocial --public no - - # some post-install instructions for the user - if ! grep -q $"Microblog administrator" /home/$MY_USERNAME/README; then - echo '' >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - echo $'Microblog' >> /home/$MY_USERNAME/README - echo '=========' >> /home/$MY_USERNAME/README - echo $"Microblog administrator nickname: $MY_USERNAME" >> /home/$MY_USERNAME/README - echo $"Microblog administrator password: $MICROBLOG_ADMIN_PASSWORD" >> /home/$MY_USERNAME/README - chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README - chmod 600 /home/$MY_USERNAME/README - fi - - if ! grep -q "Microblog onion domain" /home/$MY_USERNAME/README; then - echo $"Microblog onion domain: ${MICROBLOG_ONION_HOSTNAME}" >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README - chmod 600 /home/$MY_USERNAME/README - fi - echo "GNU Social onion domain:${MICROBLOG_ONION_HOSTNAME}" >> $COMPLETION_FILE - - echo "GNU Social domain:$MICROBLOG_DOMAIN_NAME" >> $COMPLETION_FILE - echo 'install_gnu_social' >> $COMPLETION_FILE -} - -function install_gnu_social_plugin_sharings { - if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - - if [ ! -d /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins ]; then - echo $'No local/plugins directory found for the microblog' - exit 72945 - fi - - # update to the next commit - set_repo_commit /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins "GNU Social sharings plugin commit" "$SHARINGS_COMMIT" $SHARINGS_REPO - - if grep -Fxq "install_gnu_social_plugin_sharings" $COMPLETION_FILE; then - return - fi - - cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins - git_clone $SHARINGS_REPO Sharings - if [ ! -d /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Sharings ]; then - echo $'Unable to clone microblog sharings plugin' - exit 36738 - fi - - cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Sharings - git stash - git checkout master - git branch -D $SHARINGS_COMMIT - git checkout $SHARINGS_COMMIT -b $SHARINGS_COMMIT - - # enable the plugin - if ! grep -q "addPlugin('Sharings');" /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/config.php; then - echo "addPlugin('Sharings');" >> /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/config.php - fi - - cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs - php scripts/checkschema.php - cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Sharings - php scripts/seedsharings.php - cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs - php scripts/checkschema.php - - # Languages - cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Sharings/locale/en/LC_MESSAGES - msgfmt -o Sharings.mo Sharings.po - cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Sharings/locale/en_GB/LC_MESSAGES - msgfmt -o Sharings.mo Sharings.po - cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Sharings/locale/en_US/LC_MESSAGES - msgfmt -o Sharings.mo Sharings.po - - chown -R www-data:www-data /var/www/$MICROBLOG_DOMAIN_NAME/htdocs - - if ! grep -q "GNU Social sharings plugin commit" $COMPLETION_FILE; then - echo "GNU Social sharings plugin commit:$SHARINGS_COMMIT" >> $COMPLETION_FILE - else - sed -i "s|GNU Social sharings plugin commit.*|GNU Social sharings plugin commit:$SHARINGS_COMMIT|g" $COMPLETION_FILE - fi - echo 'install_gnu_social_plugin_sharings' >> $COMPLETION_FILE -} - -function install_gnu_social_plugin_sharings_theme { - if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - - if [ ! -d /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins ]; then - echo $'No local/plugins directory found for the microblog' - exit 74458 - fi - - # update to the next commit - set_repo_commit /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins "GNU Social sharings theme plugin commit" "$SHARINGS_THEME_COMMIT" $SHARINGS_THEME_REPO - - if grep -Fxq "install_gnu_social_plugin_sharings_theme" $COMPLETION_FILE; then - return - fi - - cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins - git_clone $SHARINGS_THEME_REPO SharingsTheme - if [ ! -d /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/SharingsTheme ]; then - echo $'Unable to clone microblog sharings plugin theme' - exit 639253 - fi - - cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/SharingsTheme - git stash - git checkout master - git branch -D $SHARINGS_THEME_COMMIT - git checkout $SHARINGS_THEME_COMMIT -b $SHARINGS_THEME_COMMIT - - # enable the plugin - if ! grep -q "addPlugin('SharingsTheme');" /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/config.php; then - echo "addPlugin('SharingsTheme');" >> /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/config.php - fi - - cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs - php scripts/checkschema.php - - chown -R www-data:www-data /var/www/$MICROBLOG_DOMAIN_NAME/htdocs - - if ! grep -q "GNU Social sharings plugin theme commit" $COMPLETION_FILE; then - echo "GNU Social sharings plugin theme commit:$SHARINGS_THEME_COMMIT" >> $COMPLETION_FILE - else - sed -i "s|GNU Social sharings plugin theme commit.*|GNU Social sharings plugin theme commit:$SHARINGS_THEME_COMMIT|g" $COMPLETION_FILE - fi - echo 'install_gnu_social_plugin_sharings_theme' >> $COMPLETION_FILE -} - -function expire_gnu_social_posts { - # To prevent the database size from growing endlessly this script expires posts - # after a number of months - if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - if [ ! -d /var/www/$MICROBLOG_DOMAIN_NAME/htdocs ]; then - return - fi - - gnusocial_expire_script=/usr/bin/gnusocial-expire - - echo ' $gnusocial_expire_script - echo '' >> $gnusocial_expire_script - echo '// GNU Social post expiry script, based on StatExpire by Tony Baldwin' >> $gnusocial_expire_script - echo '// https://github.com/tonybaldwin/statexpire' >> $gnusocial_expire_script - echo '' >> $gnusocial_expire_script - echo '$oldate=date(("Y-m-d"), strtotime("-3 months"));' >> $gnusocial_expire_script - echo '$username="root";' >> $gnusocial_expire_script - echo "\$password=trim(file_get_contents(\"$DATABASE_PASSWORD_FILE\"));" >> $gnusocial_expire_script - echo '$database="gnusocial";' >> $gnusocial_expire_script - echo '' >> $gnusocial_expire_script - echo 'if (!$link = mysql_connect("localhost", $username, $password)) {' >> $gnusocial_expire_script - echo ' echo "Could not connect to mariadb";' >> $gnusocial_expire_script - echo ' exit;' >> $gnusocial_expire_script - echo '}' >> $gnusocial_expire_script - echo '' >> $gnusocial_expire_script - echo 'if (!mysql_select_db($database, $link)) {' >> $gnusocial_expire_script - echo ' echo "Could not select gnusocial database";' >> $gnusocial_expire_script - echo ' exit;' >> $gnusocial_expire_script - echo '}' >> $gnusocial_expire_script - echo '' >> $gnusocial_expire_script - echo "\$notice_query=\"DELETE FROM notice WHERE created <= '\$oldate 01:01:01'\";" >> $gnusocial_expire_script - echo "\$conversation_query=\"DELETE FROM conversation WHERE created <= '$oldate 01:01:01'\";" >> $gnusocial_expire_script - echo "\$reply_query=\"DELETE FROM reply WHERE modified <= '\$oldate 01:01:01'\";" >> $gnusocial_expire_script - echo '' >> $gnusocial_expire_script - echo 'mysql_query($notice_query);' >> $gnusocial_expire_script - echo '$rowaff1=mysql_affected_rows();' >> $gnusocial_expire_script - echo 'mysql_query($conversation_query);' >> $gnusocial_expire_script - echo '$rowaff2=mysql_affected_rows();' >> $gnusocial_expire_script - echo 'mysql_query($reply_query);' >> $gnusocial_expire_script - echo '$rowaff3=mysql_affected_rows();' >> $gnusocial_expire_script - echo 'mysql_close();' >> $gnusocial_expire_script - echo '' >> $gnusocial_expire_script - echo 'echo "Expire GNU Social posts: $rowaff1 notices, $rowaff2 conversations, and $rowaff3 replies deleted from database.\n";' >> $gnusocial_expire_script - chmod +x $gnusocial_expire_script - - # Add a cron job - if ! grep -q "$gnusocial_expire_script" /etc/crontab; then - echo "10 3 5 * * root /usr/bin/timeout 500 /usr/bin/php $gnusocial_expire_script" >> /etc/crontab - fi - - # remove old expire script - if [ -f /etc/cron.weekly/clear-microblog-database ]; then - rm /etc/cron.weekly/clear-microblog-database - fi -} - -function install_gnu_social_theme { - if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - - # update to the next commit - set_repo_commit /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Qvitter "GNU Social theme commit" "$MICROBLOG_THEME_COMMIT" $MICROBLOG_THEME_REPO - - # customise with project logo - if [ -f /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Qvitter/img/sprite.png ]; then - if [ -f ~/freedombone/img/gnusocial_sprite.png ]; then - cp ~/freedombone/img/gnusocial_sprite.png /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Qvitter/img/sprite.png - fi - fi - - if grep -Fxq "install_gnu_social_theme" $COMPLETION_FILE; then - return - fi - - apt-get -y install wget - - if [ ! -d /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins ]; then - mkdir -p /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins - fi - - cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins - git_clone $MICROBLOG_THEME_REPO Qvitter - cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Qvitter - git checkout $MICROBLOG_THEME_COMMIT -b $MICROBLOG_THEME_COMMIT - - # download a custom background image - MICROBLOG_BACKGROUND_IMAGE_URL_EXT= - if [ $MICROBLOG_BACKGROUND_IMAGE_URL ]; then - if [[ $$MICROBLOG_BACKGROUND_IMAGE_URL == *".jpeg" || $$MICROBLOG_BACKGROUND_IMAGE_URL == *".jpg" ]]; then - MICROBLOG_BACKGROUND_IMAGE_URL_EXT="jpg" - fi - if [[ $$MICROBLOG_BACKGROUND_IMAGE_URL == *".png" ]]; then - MICROBLOG_BACKGROUND_IMAGE_URL_EXT="png" - fi - if [[ $$MICROBLOG_BACKGROUND_IMAGE_URL == *".gif" ]]; then - MICROBLOG_BACKGROUND_IMAGE_URL_EXT="gif" - fi - if [ $MICROBLOG_BACKGROUND_IMAGE_URL_EXT ]; then - wget $MICROBLOG_BACKGROUND_IMAGE_URL -O img/custom.${MICROBLOG_BACKGROUND_IMAGE_URL_EXT} - if [ ! -f img/custom.${MICROBLOG_BACKGROUND_IMAGE_URL_EXT} ]; then - echo "$MICROBLOG_BACKGROUND_IMAGE_URL" - echo $'Custom background image for microblog could not be downloaded' - exit 87524 - fi - fi - fi - - microblog_config_file=/var/www/$MICROBLOG_DOMAIN_NAME/htdocs/config.php - if ! grep -q "addPlugin('Qvitter')" $microblog_config_file; then - MICROBLOG_WELCOME_MESSAGE=$(echo $MICROBLOG_WELCOME_MESSAGE | sed "s|\$MICROBLOG_DOMAIN_NAME|$MICROBLOG_DOMAIN_NAME|g") - echo "" >> $microblog_config_file - echo "// Qvitter settings" >> $microblog_config_file - echo "addPlugin('Qvitter');" >> $microblog_config_file - echo "\$config['site']['qvitter']['enabledbydefault'] = true;" >> $microblog_config_file - echo "\$config['site']['qvitter']['defaultbackgroundcolor'] = '#f4f4f4';" >> $microblog_config_file - echo "\$config['site']['qvitter']['defaultlinkcolor'] = '#0084B4';" >> $microblog_config_file - echo "\$config['site']['qvitter']['timebetweenpolling'] = 30000; // 30 secs" >> $microblog_config_file - echo "\$config['site']['qvitter']['urlshortenerapiurl'] = 'http://qttr.at/shortener.php';" >> $microblog_config_file - echo "\$config['site']['qvitter']['urlshortenersignature'] = 'b6afeec983';" >> $microblog_config_file - if [ $MICROBLOG_BACKGROUND_IMAGE_URL ]; then - echo "\$config['site']['qvitter']['sitebackground'] = 'img/custom.${MICROBLOG_BACKGROUND_IMAGE_URL_EXT}';" >> $microblog_config_file - else - echo "\$config['site']['qvitter']['sitebackground'] = 'img/vagnsmossen.jpg';" >> $microblog_config_file - fi - echo "\$config['site']['qvitter']['favicon'] = 'img/favicon.ico?v=4';" >> $microblog_config_file - echo "\$config['site']['qvitter']['sprite'] = Plugin::staticPath('Qvitter', '').'img/sprite.png?v=40';" >> $microblog_config_file - echo "\$config['site']['qvitter']['enablewelcometext'] = true;" >> $microblog_config_file - echo "\$config['site']['qvitter']['customwelcometext']['en'] = '$MICROBLOG_WELCOME_MESSAGE';" >> $microblog_config_file - echo "\$config['site']['qvitter']['customwelcometext']['de'] = '$MICROBLOG_WELCOME_MESSAGE';" >> $microblog_config_file - echo "\$config['site']['qvitter']['customwelcometext']['fr'] = '$MICROBLOG_WELCOME_MESSAGE';" >> $microblog_config_file - echo "\$config['site']['qvitter']['customwelcometext']['es'] = '$MICROBLOG_WELCOME_MESSAGE';" >> $microblog_config_file - echo "\$config['site']['qvitter']['blocked_ips'] = array();" >> $microblog_config_file - else - if [ $MICROBLOG_BACKGROUND_IMAGE_URL_EXT ]; then - if [ -f img/custom.${MICROBLOG_BACKGROUND_IMAGE_URL_EXT} ]; then - sed -i "s|\$config['site']['qvitter']['sitebackground'].*|\$config['site']['qvitter']['sitebackground'] = 'img/custom.${MICROBLOG_BACKGROUND_IMAGE_URL_EXT}';|g" $microblog_config_file - fi - fi - fi - - # customise with project logo - if [ -f /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Qvitter/img/sprite.png ]; then - if [ -f ~/freedombone/img/gnusocial_sprite.png ]; then - cp ~/freedombone/img/gnusocial_sprite.png /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Qvitter/img/sprite.png - fi - fi - - if ! grep -q "GNU Social theme commit" $COMPLETION_FILE; then - echo "GNU Social theme commit:$MICROBLOG_THEME_COMMIT" >> $COMPLETION_FILE - fi - - chown -R www-data:www-data /var/www/$MICROBLOG_DOMAIN_NAME/htdocs - - echo 'install_gnu_social_theme' >> $COMPLETION_FILE -} - -function install_gnu_social_markdown { - if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - - MICROBLOG_PATH=/var/www/$MICROBLOG_DOMAIN_NAME/htdocs - - # update to the next commit - set_repo_commit $MICROBLOG_PATH/local/plugins/Markdown "GNU Social Markdown commit" "$MICROBLOG_MARKDOWN_COMMIT" $MICROBLOG_MARKDOWN_REPO - - if grep -Fxq "install_gnu_social_markdown" $COMPLETION_FILE; then - return - fi - - if [ -d $MICROBLOG_PATH/local/plugins/Markdown ]; then - rm -rf $MICROBLOG_PATH/local/plugins/Markdown - fi - - if [ ! -d $MICROBLOG_PATH/local/plugins ]; then - mkdir -p $MICROBLOG_PATH/local/plugins - fi - - cd $MICROBLOG_PATH/local/plugins - git_clone $MICROBLOG_MARKDOWN_REPO Markdown - cd $MICROBLOG_PATH/local/plugins/Markdown - git checkout $MICROBLOG_MARKDOWN_COMMIT -b $MICROBLOG_MARKDOWN_COMMIT - - microblog_config_file=$MICROBLOG_PATH/config.php - if ! grep -q "addPlugin('Markdown'" $microblog_config_file; then - echo "" >> $microblog_config_file - echo "// Markdown settings" >> $microblog_config_file - echo "addPlugin('Markdown');" >> $microblog_config_file - fi - - if ! grep -q "GNU Social Markdown commit" $COMPLETION_FILE; then - echo "GNU Social Markdown commit:$MICROBLOG_MARKDOWN_COMMIT" >> $COMPLETION_FILE - fi - - chown -R www-data:www-data $MICROBLOG_PATH - - echo 'install_gnu_social_markdown' >> $COMPLETION_FILE -} - -function install_search_engine { - # Note: currently socks5 outgoing proxies to other search engines does not work - if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - if [ ! -d /etc/nginx ]; then - echo $'Webserver is not installed' - exit 62429 - fi - - # update to a new commit if needed - set_repo_commit $SEARCH_ENGINE_PATH/searx "Search engine commit" "$SEARCH_ENGINE_COMMIT" $SEARCH_ENGINE_REPO - if grep "Search engine key" $COMPLETION_FILE; then - if [ -f ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml ]; then - # note: this might change to a --tor option in a later version - if ! grep 'socks5://127.0.0.1:9050' ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml; then - echo 'outgoing: # communication with search engines' >> ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml - echo ' proxies:' >> ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml - echo ' http : socks5://127.0.0.1:9050' >> ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml - echo ' https: socks5://127.0.0.1:9050' >> ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml - fi - SEARCH_ENGINE_SECRET_KEY=$(cat $COMPLETION_FILE | grep "Search engine key" | awk -F ':' '{print $2}') - sed -i "s|secret_key.*|secret_key : \"${SEARCH_ENGINE_SECRET_KEY}\"|g" ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml - if [ -f /var/lib/tor/hidden_service_searx/hostname ]; then - SEARCH_ENGINE_ONION_HOSTNAME=$(echo /var/lib/tor/hidden_service_searx/hostname) - sed -i '0,/RE/s/base_url.*/base_url : \"http://${SEARCH_ENGINE_ONION_HOSTNAME}\/' ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml - fi - fi - fi - - if grep -Fxq "install_search_engine" $COMPLETION_FILE; then - return - fi - - apt-get -y install python-pip libyaml-dev python-werkzeug python-babel python-lxml apache2-utils - apt-get -y install git build-essential libxslt-dev python-dev python-virtualenv python-pybabel zlib1g-dev uwsgi uwsgi-plugin-python libapache2-mod-uwsgi - - pip install --upgrade pip - - pip install certifi - if [ ! "$?" = "0" ]; then - echo $'Failed to install certifi' - exit 737692 - fi - - pip install pyyaml - if [ ! "$?" = "0" ]; then - echo $'Failed to install pyyaml' - exit 469242 - fi - - pip install flask --upgrade - if [ ! "$?" = "0" ]; then - echo $'Failed to install flask' - exit 888575 - fi - - pip install flask_restless --upgrade - if [ ! "$?" = "0" ]; then - echo $'Failed to install flask_restless' - exit 54835 - fi - - pip install flask_babel --upgrade - if [ ! "$?" = "0" ]; then - echo $'Failed to install flask_babel' - exit 63738 - fi - - if [ ! -d $SEARCH_ENGINE_PATH ]; then - mkdir -p $SEARCH_ENGINE_PATH - fi - - # clone the repo - cd $SEARCH_ENGINE_PATH - git_clone $SEARCH_ENGINE_REPO searx - git checkout $SEARCH_ENGINE_COMMIT -b $SEARCH_ENGINE_COMMIT - if ! grep -q "Search engine commit" $COMPLETION_FILE; then - echo "Search engine commit:$SEARCH_ENGINE_COMMIT" >> $COMPLETION_FILE - else - sed -i "s/Search engine commit.*/Search engine commit:$SEARCH_ENGINE_COMMIT/g" $COMPLETION_FILE - fi - - # create an onion service - SEARCH_ENGINE_ONION_HOSTNAME=$(add_onion_service searx 80 ${SEARCH_ENGINE_ONION_PORT}) - if ! grep "Search engine onion domain" $COMPLETION_FILE; then - echo "Search engine onion domain:${SEARCH_ENGINE_ONION_HOSTNAME}" >> $COMPLETION_FILE - else - sed -i "s|Search engine onion domain.*|Search engine onion domain:${SEARCH_ENGINE_ONION_HOSTNAME}|g" $COMPLETION_FILE - fi - - # an unprivileged user to run as - useradd -d ${SEARCH_ENGINE_PATH}/searx/ -s /bin/false searx - adduser searx debian-tor - - # daemon - echo '[Unit]' > /etc/systemd/system/searx.service - echo 'Description=Searx (search engine)' >> /etc/systemd/system/searx.service - echo 'After=syslog.target' >> /etc/systemd/system/searx.service - echo 'After=network.target' >> /etc/systemd/system/searx.service - echo '' >> /etc/systemd/system/searx.service - echo '[Service]' >> /etc/systemd/system/searx.service - echo 'Type=simple' >> /etc/systemd/system/searx.service - echo 'User=searx' >> /etc/systemd/system/searx.service - echo 'Group=searx' >> /etc/systemd/system/searx.service - echo "WorkingDirectory=${SEARCH_ENGINE_PATH}/searx" >> /etc/systemd/system/searx.service - echo "ExecStart=/usr/bin/python ${SEARCH_ENGINE_PATH}/searx/searx/webapp.py" >> /etc/systemd/system/searx.service - echo 'Restart=always' >> /etc/systemd/system/searx.service - echo 'Environment="USER=searx"' >> /etc/systemd/system/searx.service - echo '' >> /etc/systemd/system/searx.service - echo '[Install]' >> /etc/systemd/system/searx.service - echo 'WantedBy=multi-user.target' >> /etc/systemd/system/searx.service - - # create a webserver file - echo 'server {' > /etc/nginx/sites-available/searx - echo " listen 127.0.0.1:${SEARCH_ENGINE_ONION_PORT} default_server;" >> /etc/nginx/sites-available/searx - echo " root ${SEARCH_ENGINE_PATH}/searx;" >> /etc/nginx/sites-available/searx - echo " server_name ${SEARCH_ENGINE_ONION_HOSTNAME};" >> /etc/nginx/sites-available/searx - echo ' access_log off;' >> /etc/nginx/sites-available/searx - echo " error_log /var/log/searx_error.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/searx - echo '' >> /etc/nginx/sites-available/searx - nginx_limits searx '1M' - nginx_disable_sniffing searx - echo ' add_header Strict-Transport-Security max-age=0;' >> /etc/nginx/sites-available/searx - echo '' >> /etc/nginx/sites-available/searx - echo ' location / {' >> /etc/nginx/sites-available/searx - echo ' proxy_pass http://localhost:8888;' >> /etc/nginx/sites-available/searx - echo ' proxy_set_header Host $host;' >> /etc/nginx/sites-available/searx - echo ' proxy_set_header X-Real-IP $remote_addr;' >> /etc/nginx/sites-available/searx - echo ' proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;' >> /etc/nginx/sites-available/searx - echo ' proxy_set_header X-Remote-Port $remote_port;' >> /etc/nginx/sites-available/searx - echo ' proxy_set_header X-Forwarded-Proto $scheme;' >> /etc/nginx/sites-available/searx - echo ' proxy_redirect off;' >> /etc/nginx/sites-available/searx - - echo " auth_basic \"${SEARCH_ENGINE_LOGIN_TEXT}\";" >> /etc/nginx/sites-available/searx - echo ' auth_basic_user_file /etc/nginx/.htpasswd;' >> /etc/nginx/sites-available/searx - echo ' }' >> /etc/nginx/sites-available/searx - echo '' >> /etc/nginx/sites-available/searx - echo ' fastcgi_buffers 64 4K;' >> /etc/nginx/sites-available/searx - echo '' >> /etc/nginx/sites-available/searx - echo ' error_page 403 /core/templates/403.php;' >> /etc/nginx/sites-available/searx - echo ' error_page 404 /core/templates/404.php;' >> /etc/nginx/sites-available/searx - echo '' >> /etc/nginx/sites-available/searx - echo ' location = /robots.txt {' >> /etc/nginx/sites-available/searx - echo ' allow all;' >> /etc/nginx/sites-available/searx - echo ' log_not_found off;' >> /etc/nginx/sites-available/searx - echo ' access_log off;' >> /etc/nginx/sites-available/searx - echo ' }' >> /etc/nginx/sites-available/searx - echo '}' >> /etc/nginx/sites-available/searx - - # replace the secret key - if ! grep "Search engine key" $COMPLETION_FILE; then - SEARCH_ENGINE_SECRET_KEY="$(openssl rand -base64 32 | cut -c1-30)" - echo "Search engine key:${SEARCH_ENGINE_SECRET_KEY}" >> $COMPLETION_FILE - else - SEARCH_ENGINE_SECRET_KEY=$(cat $COMPLETION_FILE | grep "Search engine key" | awk -F ':' '{print $2}') - fi - sed -i "s|secret_key.*|secret_key : \"${SEARCH_ENGINE_SECRET_KEY}\"|g" ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml - sed -i "s|secret_key.*|secret_key : \"${SEARCH_ENGINE_SECRET_KEY}\"|g" ${SEARCH_ENGINE_PATH}/searx/searx/settings_robot.yml - sed -i '0,/RE/s/base_url.*/base_url : \"http://${SEARCH_ENGINE_ONION_HOSTNAME}\/' ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml - sed -i '0,/RE/s/base_url.*/base_url : \"http://${SEARCH_ENGINE_ONION_HOSTNAME}\/' ${SEARCH_ENGINE_PATH}/searx/searx/settings_robot.yml - - # note: this might change to a --tor option in a later version - if ! grep 'socks5://127.0.0.1:9050' ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml; then - echo 'outgoing: # communication with search engines' >> ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml - echo ' proxies:' >> ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml - echo ' http : socks5://127.0.0.1:9050' >> ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml - echo ' https: socks5://127.0.0.1:9050' >> ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml - fi - - chown -R searx:searx ${SEARCH_ENGINE_PATH}/searx - - # enable the site - nginx_ensite searx - - # restart the web server - systemctl restart php5-fpm - systemctl restart nginx - - # start the daemon - systemctl enable searx.service - systemctl daemon-reload - systemctl start searx.service - - if ! grep -q "Your search engine password is" /home/$MY_USERNAME/README; then - if [ ${#SEARCH_ENGINE_PASSWORD} -lt 8 ]; then - if [ -f $IMAGE_PASSWORD_FILE ]; then - SEARCH_ENGINE_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)" - else - SEARCH_ENGINE_PASSWORD="$(openssl rand -base64 30 | cut -c1-${MINIMUM_PASSWORD_LENGTH})" - fi - fi - echo "$SEARCH_ENGINE_PASSWORD" | htpasswd -i -s -c /etc/nginx/.htpasswd $MY_USERNAME - echo '' >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - echo $'Search Engine' >> /home/$MY_USERNAME/README - echo '=============' >> /home/$MY_USERNAME/README - echo $"Search engine onion domain: ${SEARCH_ENGINE_ONION_HOSTNAME}" >> /home/$MY_USERNAME/README - echo $"Your search engine password is: $SEARCH_ENGINE_PASSWORD" >> /home/$MY_USERNAME/README - chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README - chmod 600 /home/$MY_USERNAME/README - fi - - echo 'install_search_engine' >> $COMPLETION_FILE -} - -function install_webmail { - if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - - WEB_PATH=/var/www - WEBMAIL_PATH=$WEB_PATH/webmail - - # update to a new commit if needed - set_repo_commit $WEBMAIL_PATH "Webmail commit" "$WEBMAIL_COMMIT" $WEBMAIL_REPO - - if grep -Fxq "install_webmail" $COMPLETION_FILE; then - return - fi - if [ -d /etc/apache2 ]; then - rm -rf /etc/apache2 - echo $'Removed Apache installation after Dokuwiki install' - fi - - install_mariadb - get_mariadb_password - repair_databases_script - - apt-get -y install php5-common php5-cli php5-curl php5-gd php5-mysql php5-mcrypt git - apt-get -y install php5-dev imagemagick php5-imagick php5-sqlite php-auth-sasl php-net-smtp php-mime-type - apt-get -y install php-mail-mime php-mail-mimedecode php-net-ldap3 php5-pspell - pear install Net_IDNA2 - - if [ ! -f $WEBMAIL_PATH/index.php ]; then - cd $WEB_PATH - git_clone $WEBMAIL_REPO webmail - cd $WEBMAIL_PATH - git checkout $WEBMAIL_COMMIT -b $WEBMAIL_COMMIT - if ! grep -q "Webmail commit" $COMPLETION_FILE; then - echo "Webmail commit:$WEBMAIL_COMMIT" >> $COMPLETION_FILE - else - sed -i "s/Webmail commit.*/Webmail commit:$WEBMAIL_COMMIT/g" $COMPLETION_FILE - fi - fi - if [ ! -f $WEBMAIL_PATH/index.php ]; then - echo $'Did not clone webmail repo' - exit 52825 - fi - - WEBMAIL_ONION_HOSTNAME=$(add_onion_service webmail 80 ${WEBMAIL_ONION_PORT}) - echo "Webmail onion domain:${WEBMAIL_ONION_HOSTNAME}" >> $COMPLETION_FILE - - get_mariadb_webmail_admin_password - if [ ! $WEBMAIL_ADMIN_PASSWORD ]; then - if [ -f $IMAGE_PASSWORD_FILE ]; then - WEBMAIL_ADMIN_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)" - else - WEBMAIL_ADMIN_PASSWORD="$(openssl rand -base64 32 | cut -c1-${MINIMUM_PASSWORD_LENGTH})" - fi - fi - create_database webmail "$WEBMAIL_ADMIN_PASSWORD" - mysql -u root --password="$MARIADB_PASSWORD" -D webmail < $WEBMAIL_PATH/SQL/mysql.initial.sql - - if [ ! -d /var/www/$DEFAULT_DOMAIN_NAME/htdocs ]; then - mkdir -p /var/www/$DEFAULT_DOMAIN_NAME/htdocs - fi - ln -s $WEBMAIL_PATH /var/www/$DEFAULT_DOMAIN_NAME/htdocs/webmail - - if [ ! -f /var/www/webmail/config/config.inc.php ]; then - # generate the configuration - echo ' /var/www/webmail/config/config.inc.php - echo "\$config['db_dsnw'] = 'mysql://root:${MARIADB_PASSWORD}@localhost/webmail';" >> /var/www/webmail/config/config.inc.php - echo "\$config['default_host'] = 'localhost';" >> /var/www/webmail/config/config.inc.php - echo "\$config['support_url'] = '';" >> /var/www/webmail/config/config.inc.php - WEBMAIL_DES_KEY="$(openssl rand -base64 32 | cut -c1-25)" - echo "\$config['des_key'] = '${WEBMAIL_DES_KEY}';" >> /var/www/webmail/config/config.inc.php - echo "\$config['product_name'] = '${PROJECT_NAME}';" >> /var/www/webmail/config/config.inc.php - echo "\$config['plugins'] = array('enigma');" >> /var/www/webmail/config/config.inc.php - echo "\$config['mime_param_folding'] = 0;" >> /var/www/webmail/config/config.inc.php - echo "\$config['enable_installer'] = false;" >> /var/www/webmail/config/config.inc.php - fi - - chown -R www-data:www-data $WEBMAIL_PATH - - echo 'server {' > /etc/nginx/sites-available/webmail - echo " listen 127.0.0.1:$WEBMAIL_ONION_PORT default_server;" >> /etc/nginx/sites-available/webmail - echo " server_name $WEBMAIL_ONION_HOSTNAME;" >> /etc/nginx/sites-available/webmail - echo " root ${WEBMAIL_PATH};" >> /etc/nginx/sites-available/webmail - echo ' index index.php index.html index.htm;' >> /etc/nginx/sites-available/webmail - echo ' access_log off;' >> /etc/nginx/sites-available/webmail - echo ' error_log off;' >> /etc/nginx/sites-available/webmail - echo ' location / {' >> /etc/nginx/sites-available/webmail - echo ' try_files $uri $uri/ /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/webmail - echo ' }' >> /etc/nginx/sites-available/webmail - echo ' error_page 404 /404.html;' >> /etc/nginx/sites-available/webmail - echo ' error_page 500 502 503 504 /50x.html;' >> /etc/nginx/sites-available/webmail - echo ' location = /50x.html {' >> /etc/nginx/sites-available/webmail - echo " root ${WEBMAIL_PATH};" >> /etc/nginx/sites-available/webmail - echo ' }' >> /etc/nginx/sites-available/webmail - echo ' location ~ ^/(README.md|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {' >> /etc/nginx/sites-available/webmail - echo ' deny all;' >> /etc/nginx/sites-available/webmail - echo ' }' >> /etc/nginx/sites-available/webmail - echo ' location ~ ^/(config|temp|logs)/ {' >> /etc/nginx/sites-available/webmail - echo ' deny all;' >> /etc/nginx/sites-available/webmail - echo ' }' >> /etc/nginx/sites-available/webmail - echo ' location ~ /\. {' >> /etc/nginx/sites-available/webmail - echo ' deny all;' >> /etc/nginx/sites-available/webmail - echo ' access_log off;' >> /etc/nginx/sites-available/webmail - echo ' log_not_found off;' >> /etc/nginx/sites-available/webmail - echo ' }' >> /etc/nginx/sites-available/webmail - echo ' location ~ \.php$ {' >> /etc/nginx/sites-available/webmail - echo ' try_files $uri =404;' >> /etc/nginx/sites-available/webmail - echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/webmail - echo ' fastcgi_index index.php;' >> /etc/nginx/sites-available/webmail - echo ' fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/webmail - echo ' include fastcgi_params;' >> /etc/nginx/sites-available/webmail - echo ' }' >> /etc/nginx/sites-available/webmail - echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/webmail - echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/webmail - echo ' client_max_body_size 15m;' >> /etc/nginx/sites-available/webmail - echo '}' >> /etc/nginx/sites-available/webmail - - nginx_ensite webmail - systemctl restart php5-fpm - systemctl restart nginx - - if ! grep -q "Webmail" /home/$MY_USERNAME/README; then - echo '' >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - echo 'Webmail' >> /home/$MY_USERNAME/README - echo '=======' >> /home/$MY_USERNAME/README - if [[ $ONION_ONLY == 'no' ]]; then - echo $"Open https://$DEFAULT_DOMAIN_NAME/webmail/index.php" >> /home/$MY_USERNAME/README - else - echo $"Open http://$WEBMAIL_ONION_HOSTNAME" >> /home/$MY_USERNAME/README - fi - echo $"MariaDB webmail admin password: $WEBMAIL_ADMIN_PASSWORD" >> /home/$MY_USERNAME/README - chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README - chmod 600 /home/$MY_USERNAME/README - fi - - echo 'install_webmail' >> $COMPLETION_FILE -} - -function install_hubzilla { - if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - if [ ! $HUBZILLA_DOMAIN_NAME ]; then - return - fi - - HUBZILLA_PATH=/var/www/$HUBZILLA_DOMAIN_NAME/htdocs - - # update to a new commit if needed - set_repo_commit $HUBZILLA_PATH "Hubzilla commit" "$HUBZILLA_COMMIT" $HUBZILLA_REPO - set_repo_commit $HUBZILLA_PATH/addon "Hubzilla addons commit" "$HUBZILLA_ADDONS_COMMIT" $HUBZILLA_ADDONS_REPO - if [ -d $HUBZILLA_PATH/redmatrix-themes1 ]; then - cd $HUBZILLA_PATH/redmatrix-themes1 - git stash - git pull - cp -r $HUBZILLA_PATH/redmatrix-themes1/* $HUBZILLA_PATH/view/theme/ - chown -R www-data:www-data $HUBZILLA_PATH - fi - - if grep -Fxq "install_hubzilla" $COMPLETION_FILE; then - return - fi - - install_mariadb - get_mariadb_password - repair_databases_script - - apt-get -y install php5-common php5-cli php5-curl php5-gd php5-mysql php5-mcrypt git - apt-get -y install php5-dev imagemagick php5-imagick - apt-get -y install php5-memcached - - if [ ! -d /var/www/$HUBZILLA_DOMAIN_NAME ]; then - mkdir /var/www/$HUBZILLA_DOMAIN_NAME - fi - if [ ! -d $HUBZILLA_PATH ]; then - mkdir $HUBZILLA_PATH - fi - - if [ ! -f $HUBZILLA_PATH/index.php ]; then - cd $INSTALL_DIR - git_clone $HUBZILLA_REPO hubzilla - git checkout $HUBZILLA_COMMIT -b $HUBZILLA_COMMIT - if ! grep -q "Hubzilla commit" $COMPLETION_FILE; then - echo "Hubzilla commit:$HUBZILLA_COMMIT" >> $COMPLETION_FILE - else - sed -i "s/Hubzilla commit.*/Hubzilla commit:$HUBZILLA_COMMIT/g" $COMPLETION_FILE - fi - - rm -rf $HUBZILLA_PATH - mv hubzilla $HUBZILLA_PATH - - git_clone $HUBZILLA_ADDONS_REPO $HUBZILLA_PATH/addon - cd $HUBZILLA_PATH/addon - git checkout $HUBZILLA_ADDONS_COMMIT -b $HUBZILLA_ADDONS_COMMIT - if ! grep -q "Hubzilla addons commit" $COMPLETION_FILE; then - echo "Hubzilla addons commit:$HUBZILLA_ADDONS_COMMIT" >> $COMPLETION_FILE - else - sed -i "s/Hubzilla addons commit.*/Hubzilla addons commit:$HUBZILLA_ADDONS_COMMIT/g" $COMPLETION_FILE - fi - - # some extra themes - git_clone $HUBZILLA_THEMES_REPO $HUBZILLA_PATH/redmatrix-themes1 - cp -r $HUBZILLA_PATH/redmatrix-themes1/* $HUBZILLA_PATH/view/theme/ - - chown -R www-data:www-data $HUBZILLA_PATH - fi - - HUBZILLA_ONION_HOSTNAME= - if [[ $ONION_ONLY != "no" ]]; then - HUBZILLA_ONION_HOSTNAME=$(add_onion_service hubzilla 80 ${HUBZILLA_ONION_PORT}) - echo "Hubzilla onion domain:${HUBZILLA_ONION_HOSTNAME}" >> $COMPLETION_FILE - fi - - get_mariadb_hubzilla_admin_password - if [ ! $HUBZILLA_ADMIN_PASSWORD ]; then - if [ -f $IMAGE_PASSWORD_FILE ]; then - HUBZILLA_ADMIN_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)" - else - HUBZILLA_ADMIN_PASSWORD="$(openssl rand -base64 32 | cut -c1-${MINIMUM_PASSWORD_LENGTH})" - fi - echo '' >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - echo 'Hubzilla' >> /home/$MY_USERNAME/README - echo '========' >> /home/$MY_USERNAME/README - if [[ $ONION_ONLY == 'no' ]]; then - echo $"Open https://$HUBZILLA_DOMAIN_NAME and register a new user" >> /home/$MY_USERNAME/README - else - echo $"Open http://$HUBZILLA_ONION_HOSTNAME and register a new user" >> /home/$MY_USERNAME/README - fi - echo $"Your MariaDB Hubzilla admin password is: $HUBZILLA_ADMIN_PASSWORD" >> /home/$MY_USERNAME/README - chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README - chmod 600 /home/$MY_USERNAME/README - fi - - create_database hubzilla "$HUBZILLA_ADMIN_PASSWORD" - - if ! grep -q "$HUBZILLA_PATH" /etc/crontab; then - echo "12,22,32,42,52 * * * * root cd $HUBZILLA_PATH; /usr/bin/timeout 500 /usr/bin/php include/poller.php" >> /etc/crontab - fi - - add_ddns_domain $HUBZILLA_DOMAIN_NAME - - if [[ $ONION_ONLY == "no" ]]; then - nginx_http_redirect $HUBZILLA_DOMAIN_NAME - echo 'server {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' listen 443 ssl;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo " root $HUBZILLA_PATH;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo " server_name $HUBZILLA_DOMAIN_NAME;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo " error_log /var/log/nginx/${HUBZILLA_DOMAIN_NAME}_error_ssl.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' index index.php;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' charset utf-8;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' access_log off;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - nginx_limits $HUBZILLA_DOMAIN_NAME - nginx_ssl $HUBZILLA_DOMAIN_NAME - nginx_disable_sniffing $HUBZILLA_DOMAIN_NAME - echo ' add_header Strict-Transport-Security max-age=15768000;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' location / {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo " # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' allow all;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' # statically serve these file types when possible' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' # otherwise fall back to front controller' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' # allow browser to cache them' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' expires 30d;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' # block these file types' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' deny all;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' # or a unix socket' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' location ~* \.php$ {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' # Zero-day exploit defense.' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo " # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo " # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo " # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo " # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' # With php5-cgi alone:' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' # With php5-fpm:' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' include fastcgi_params;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' fastcgi_index index.php;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' fastcgi_read_timeout 300;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' # deny access to all dot files' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' location ~ /\. {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' deny all;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' location ~ /\.ht {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' deny all;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo '}' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - else - echo 'server {' > /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo " listen 127.0.0.1:${HUBZILLA_ONION_PORT} default_server;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo " root $HUBZILLA_PATH;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo " server_name $HUBZILLA_ONION_HOSTNAME;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo " error_log /var/log/nginx/${HUBZILLA_DOMAIN_NAME}_error_ssl.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' index index.php;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' charset utf-8;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' access_log off;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - nginx_limits $HUBZILLA_DOMAIN_NAME - nginx_disable_sniffing $HUBZILLA_DOMAIN_NAME - echo ' add_header Strict-Transport-Security max-age=15768000;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' location / {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo " # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' allow all;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' # statically serve these file types when possible' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' # otherwise fall back to front controller' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' # allow browser to cache them' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' expires 30d;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' # block these file types' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' deny all;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' # or a unix socket' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' location ~* \.php$ {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' # Zero-day exploit defense.' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo " # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo " # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo " # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo " # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' # With php5-cgi alone:' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' # With php5-fpm:' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' include fastcgi_params;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' fastcgi_index index.php;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' fastcgi_read_timeout 300;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' # deny access to all dot files' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' location ~ /\. {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' deny all;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' location ~ /\.ht {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' deny all;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - echo '}' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME - fi - - configure_php - - create_site_certificate $HUBZILLA_DOMAIN_NAME 'yes' - - if [ ! -d $HUBZILLA_PATH/view/tpl/smarty3 ]; then - mkdir $HUBZILLA_PATH/view/tpl/smarty3 - fi - if [ ! -d "$HUBZILLA_PATH/store" ]; then - mkdir "$HUBZILLA_PATH/store" - fi - if [ ! -d "$HUBZILLA_PATH/store/[data]" ]; then - mkdir "$HUBZILLA_PATH/store/[data]" - fi - if [ ! -d "$HUBZILLA_PATH/store/[data]/smarty3" ]; then - mkdir "$HUBZILLA_PATH/store/[data]/smarty3" - chmod 777 "$HUBZILLA_PATH/store/[data]/smarty3" - fi - chmod 777 $HUBZILLA_PATH/view/tpl - chown -R www-data:www-data "$HUBZILLA_PATH/store" - chmod 777 $HUBZILLA_PATH/view/tpl/smarty3 - - # Ensure that the database gets backed up locally, if remote - # backups are not being used - backup_databases_script_header - - backup_database_local hubzilla - - chown -R www-data:www-data $HUBZILLA_PATH - - nginx_ensite $HUBZILLA_DOMAIN_NAME - - # initialize the database - if [ ! -f $HUBZILLA_PATH/install/schema_mysql.sql ]; then - echo $'No database schema found for hubzilla' - exit 252782 - fi - mysql -u root --password="$MARIADB_PASSWORD" -D hubzilla < $HUBZILLA_PATH/install/schema_mysql.sql - if [ ! "$?" = "0" ]; then - exit 62952 - fi - - # create the config file - echo ' $HUBZILLA_PATH/.htconfig.php - echo "\$db_host = 'localhost';" >> $HUBZILLA_PATH/.htconfig.php - echo "\$db_port = '0';" >> $HUBZILLA_PATH/.htconfig.php - echo "\$db_user = 'root';" >> $HUBZILLA_PATH/.htconfig.php - echo "\$db_pass = '${MARIADB_PASSWORD}';" >> $HUBZILLA_PATH/.htconfig.php - echo "\$db_data = 'hubzilla';" >> $HUBZILLA_PATH/.htconfig.php - echo "\$db_type = '0';" >> $HUBZILLA_PATH/.htconfig.php - echo "\$default_timezone = 'Europe/London';" >> $HUBZILLA_PATH/.htconfig.php - if [[ $ONION_ONLY == 'no' ]]; then - echo "\$a->config['system']['baseurl'] = 'https://${HUBZILLA_DOMAIN_NAME}';" >> $HUBZILLA_PATH/.htconfig.php - else - echo "\$a->config['system']['baseurl'] = 'http://${HUBZILLA_ONION_HOSTNAME}';" >> $HUBZILLA_PATH/.htconfig.php - fi - echo "\$a->config['system']['sitename'] = \"Hubzilla\";" >> $HUBZILLA_PATH/.htconfig.php - HUBZILLA_LOCATION_HASH="$(openssl rand -base64 32 | cut -c1-30)" - echo "\$a->config['system']['location_hash'] = '${HUBZILLA_LOCATION_HASH}';" >> $HUBZILLA_PATH/.htconfig.php - echo "\$a->config['system']['register_policy'] = REGISTER_OPEN;" >> $HUBZILLA_PATH/.htconfig.php - echo "\$a->config['system']['register_text'] = '';" >> $HUBZILLA_PATH/.htconfig.php - echo "\$a->config['system']['admin_email'] = '${MY_EMAIL_ADDRESS}';" >> $HUBZILLA_PATH/.htconfig.php - echo "\$a->config['system']['verify_email'] = 1;" >> $HUBZILLA_PATH/.htconfig.php - echo "\$a->config['system']['access_policy'] = ACCESS_PRIVATE;" >> $HUBZILLA_PATH/.htconfig.php - echo "\$a->config['system']['sellpage'] = '';" >> $HUBZILLA_PATH/.htconfig.php - echo "\$a->config['system']['max_import_size'] = 200000;" >> $HUBZILLA_PATH/.htconfig.php - echo "\$a->config['system']['php_path'] = '/usr/bin/php';" >> $HUBZILLA_PATH/.htconfig.php - echo "\$a->config['system']['directory_mode'] = DIRECTORY_MODE_NORMAL;" >> $HUBZILLA_PATH/.htconfig.php - echo "\$a->config['system']['theme'] = 'redbasic';" >> $HUBZILLA_PATH/.htconfig.php - chown www-data:www-data $HUBZILLA_PATH/.htconfig.php - chmod 755 $HUBZILLA_PATH/.htconfig.php - - systemctl restart php5-fpm - systemctl restart nginx - systemctl restart cron - - freedombone-addemail -u $MY_USERNAME -e "noreply@$HUBZILLA_DOMAIN_NAME" -g hubzilla --public no - - echo "Hubzilla domain:${HUBZILLA_DOMAIN_NAME}" >> $COMPLETION_FILE - echo 'install_hubzilla' >> $COMPLETION_FILE -} - -function script_for_attaching_usb_drive { - if grep -Fxq "script_for_attaching_usb_drive" $COMPLETION_FILE; then - return - fi - echo '#!/bin/bash' > /usr/bin/attach-music - echo 'remove-music' >> /usr/bin/attach-music - echo "if [ ! -d $USB_MOUNT ]; then" >> /usr/bin/attach-music - echo " mkdir $USB_MOUNT" >> /usr/bin/attach-music - echo 'fi' >> /usr/bin/attach-music - echo "mount /dev/sda1 $USB_MOUNT" >> /usr/bin/attach-music - echo "chown root:root $USB_MOUNT" >> /usr/bin/attach-music - echo "chown -R minidlna:minidlna $USB_MOUNT/*" >> /usr/bin/attach-music - echo 'service minidlna restart' >> /usr/bin/attach-music - echo 'minidlnad -R' >> /usr/bin/attach-music - chmod +x /usr/bin/attach-music - ln -s /usr/bin/attach-music /usr/bin/attach-usb - ln -s /usr/bin/attach-music /usr/bin/attach-videos - ln -s /usr/bin/attach-music /usr/bin/attach-pictures - ln -s /usr/bin/attach-music /usr/bin/attach-media - - echo '#!/bin/bash' > /usr/bin/remove-music - echo "if [ -d $USB_MOUNT ]; then" >> /usr/bin/remove-music - echo " umount $USB_MOUNT" >> /usr/bin/remove-music - echo " rm -rf $USB_MOUNT" >> /usr/bin/remove-music - echo 'fi' >> /usr/bin/remove-music - chmod +x /usr/bin/remove-music - ln -s /usr/bin/remove-music /usr/bin/detach-music - ln -s /usr/bin/remove-music /usr/bin/detach-usb - ln -s /usr/bin/remove-music /usr/bin/remove-usb - ln -s /usr/bin/remove-music /usr/bin/detach-media - ln -s /usr/bin/remove-music /usr/bin/remove-media - ln -s /usr/bin/remove-music /usr/bin/detach-videos - ln -s /usr/bin/remove-music /usr/bin/remove-videos - ln -s /usr/bin/remove-music /usr/bin/detach-pictures - ln -s /usr/bin/remove-music /usr/bin/remove-pictures - - echo 'script_for_attaching_usb_drive' >> $COMPLETION_FILE -} - -function install_dlna_server { - if grep -Fxq "install_dlna_server" $COMPLETION_FILE; then - return - fi - if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - apt-get -y install minidlna - - if [ ! -f /etc/minidlna.conf ]; then - echo $"ERROR: minidlna does not appear to have installed. $CHECK_MESSAGE" - exit 55 - fi - - sed -i "s|media_dir=/var/lib/minidlna|media_dir=A,/home/$MY_USERNAME/Music|g" /etc/minidlna.conf - if ! grep -q "/home/$MY_USERNAME/Pictures" /etc/minidlna.conf; then - echo "media_dir=P,/home/$MY_USERNAME/Pictures" >> /etc/minidlna.conf - fi - if ! grep -q "/home/$MY_USERNAME/Videos" /etc/minidlna.conf; then - echo "media_dir=V,/home/$MY_USERNAME/Videos" >> /etc/minidlna.conf - fi - if ! grep -q "$USB_MOUNT/Music" /etc/minidlna.conf; then - echo "media_dir=A,$USB_MOUNT/Music" >> /etc/minidlna.conf - fi - if ! grep -q "$USB_MOUNT/Pictures" /etc/minidlna.conf; then - echo "media_dir=P,$USB_MOUNT/Pictures" >> /etc/minidlna.conf - fi - if ! grep -q "$USB_MOUNT/Videos" /etc/minidlna.conf; then - echo "media_dir=V,$USB_MOUNT/Videos" >> /etc/minidlna.conf - fi - sed -i 's/#root_container=./root_container=B/g' /etc/minidlna.conf - if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then - sed -i 's/#network_interface=/network_interface=eth0/g' /etc/minidlna.conf - else - sed -i 's/#network_interface=/network_interface=$WIFI_INTERFACE/g' /etc/minidlna.conf - fi - sed -i "s/#friendly_name=/friendly_name=\"${PROJECT_NAME} Media\"/g" /etc/minidlna.conf - sed -i 's|#db_dir=/var/cache/minidlna|db_dir=/var/cache/minidlna|g' /etc/minidlna.conf - sed -i 's/#inotify=yes/inotify=yes/g' /etc/minidlna.conf - sed -i 's/#notify_interval=895/notify_interval=300/g' /etc/minidlna.conf - sed -i "s|#presentation_url=/|presentation_url=http://localhost:8200|g" /etc/minidlna.conf - service minidlna force-reload - service minidlna reload - - sed -i 's/fs.inotify.max_user_watches*/fs.inotify.max_user_watches=65536/g' /etc/sysctl.conf - if ! grep -q "max_user_watches" $COMPLETION_FILE; then - echo 'fs.inotify.max_user_watches=65536' >> /etc/sysctl.conf - fi - /sbin/sysctl -p - - - echo 'install_dlna_server' >> $COMPLETION_FILE -} - -function install_media_server { - if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - if [ ! $MEDIA_SERVER_DOMAIN_NAME ]; then - return - fi - # update to a new commit if needed - set_repo_commit $MEDIA_SERVER_WORKING_DIRECTORY "Media server commit" "$MEDIA_SERVER_COMMIT" $MEDIA_SERVER_REPO - if [ -d $MEDIA_SERVER_WORKING_DIRECTORY ]; then - chown -R www-data:www-data $MEDIA_SERVER_WORKING_DIRECTORY - fi - - if grep -Fxq "install_media_server" $COMPLETION_FILE; then - return - fi - - echo $'Installing media server' - - apt-get -y install git-core python python-dev python-lxml python-pil - apt-get -y install python-virtualenv automake python-pip - apt-get -y install fcgiwrap libmysqlclient-dev - apt-get -y install libjpeg-dev zlib1g-dev libfreetype6-dev - apt-get -y install python-setuptools python-virtualenv - apt-get -y remove uwsgi uwsgi-plugin-python - pip uninstall uwsgi -y - apt-get -y install uwsgi uwsgi-plugin-python - pip install --upgrade pip - pip install paster==0.8 - pip install bleach==1.4.3 - pip install aniso8601==1.0.0 - pip install decorator==3.3.2 - pip install unidecode==0.4.19 - pip install google-api-python-client==1.5.1 - pip install akismet==0.2.0 - pip install MySQL-python==1.2.5 - pip install tw.forms==0.9.9 - pip install repoze.who.plugins.sa==2.3 - pip install repoze.who-friendlyform==1.0.8 - pip install repoze.who==1.0.18 - pip install Routes==1.12.3 - pip install Genshi==0.7 - pip install alembic==0.8.6 - pip install SQLAlchemy==0.7.6 - pip install WebHelpers==1.0 - pip install Pylons==1.0.2 - pip install ddt==1.1.0 - pip install iso8601==0.1.11 - pip install httplib2==0.9.1 - pip install pyasn1==0.1.8 - pip install uwsgi --upgrade - - if [ -d $MEDIA_SERVER_BASE_DIRECTORY ]; then - rm -rf $MEDIA_SERVER_BASE_DIRECTORY - fi - mkdir -p $MEDIA_SERVER_BASE_DIRECTORY - - install_mariadb - get_mariadb_password - repair_databases_script - - get_mariadb_media_server_admin_password - if [ ! $MEDIA_SERVER_ADMIN_PASSWORD ]; then - if [ -f $IMAGE_PASSWORD_FILE ]; then - MEDIA_SERVER_ADMIN_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)" - else - MEDIA_SERVER_ADMIN_PASSWORD="$(openssl rand -base64 32 | cut -c1-${MINIMUM_PASSWORD_LENGTH})" - fi - fi - - create_database mediadrop "$MEDIA_SERVER_ADMIN_PASSWORD" mediadropadmin - - useradd -d ${MEDIA_SERVER_WORKING_DIRECTORY} -s /bin/false mediadrop - - # create python environment - cd $MEDIA_SERVER_BASE_DIRECTORY - virtualenv --distribute --no-site-packages venv - source venv/bin/activate - - # clone the repo - git_clone $MEDIA_SERVER_REPO $MEDIA_SERVER_WORKING_DIRECTORY - if [ ! -d $MEDIA_SERVER_WORKING_DIRECTORY ]; then - echo $'Unable to clone mediadrop' - exit 732581 - fi - cd $MEDIA_SERVER_WORKING_DIRECTORY - git checkout $MEDIA_SERVER_COMMIT -b $MEDIA_SERVER_COMMIT - python setup.py develop - - # create a configuration - if [ -f deployment.ini ]; then - rm deployment.ini - fi - paster make-config MediaDrop deployment.ini - if [ ! -f deployment.ini ]; then - echo $'deployment.ini not created' - exit 726567 - fi - - # database authentication - sed -i "s|sqlalchemy.url.*|sqlalchemy.url = mysql://mediadrop:${MEDIA_SERVER_ADMIN_PASSWORD}@localhost/mediadrop?charset=utf8&use_unicode=0|g" deployment.ini - - # faster file serve - sed -i 's|files_serve_method.*|files_serve_method = nginx_redirect|g' deployment.ini - - # initial data - if [ ! -d $MEDIA_SERVER_WORKING_DIRECTORY/data ]; then - echo $'No data directory found' - exit 625728 - fi - cp -r $MEDIA_SERVER_WORKING_DIRECTORY/data/* $MEDIA_SERVER_WORKING_DIRECTORY - paster setup-app deployment.ini - - # add uwsgi to deployment.ini - echo '' >> deployment.ini - echo '[uwsgi]' >> deployment.ini - echo 'socket = /tmp/uwsgi-mediadrop.soc' >> deployment.ini - echo 'master = true' >> deployment.ini - echo 'processes = 5' >> deployment.ini - echo "home = $MEDIA_SERVER_BASE_DIRECTORY" >> deployment.ini - echo 'daemonize = /var/log/uwsgi.log' >> deployment.ini - - # enable full test search - mysql -u mediadrop --password="$MEDIA_SERVER_ADMIN_PASSWORD" mediadrop < $MEDIA_SERVER_WORKING_DIRECTORY/setup_triggers.sql - - chown -R mediadrop:mediadrop $MEDIA_SERVER_BASE_DIRECTORY - - # script to be called by the daemon - echo '#!/bin/bash' > /usr/bin/start-mediadrop - echo "cd ${MEDIA_SERVER_WORKING_DIRECTORY}" >> /usr/bin/start-mediadrop - echo "${MEDIA_SERVER_WORKING_DIRECTORY}/deployment-scripts/uwsgi --ini-paste ${MEDIA_SERVER_BASE_DIRECTORY}/deployment.ini" >> /usr/bin/start-mediadrop - echo "${MEDIA_SERVER_BASE_DIRECTORY}/venv/bin/paster serve --reload ${MEDIA_SERVER_BASE_DIRECTORY}/deployment.ini" >> /usr/bin/start-mediadrop - chmod +x /usr/bin/start-mediadrop - - # create daemon - echo '[Unit]' > /etc/systemd/system/mediadrop.service - echo 'Description=Mediadrop - media playing on the web' >> /etc/systemd/system/mediadrop.service - echo 'After=network.target' >> /etc/systemd/system/mediadrop.service - echo '' >> /etc/systemd/system/mediadrop.service - echo '[Service]' >> /etc/systemd/system/mediadrop.service - echo 'User=mediadrop' >> /etc/systemd/system/mediadrop.service - echo "Environment='USER=mediadrop'" >> /etc/systemd/system/mediadrop.service - echo "WorkingDirectory=${MEDIA_SERVER_WORKING_DIRECTORY}" >> /etc/systemd/system/searx.service - echo 'ExecStart=/usr/bin/start-mediadrop' >> /etc/systemd/system/mediadrop.service - echo 'Restart=on-failure' >> /etc/systemd/system/mediadrop.service - echo 'SuccessExitStatus=3 4' >> /etc/systemd/system/mediadrop.service - echo 'RestartForceExitStatus=3 4' >> /etc/systemd/system/mediadrop.service - echo '' >> /etc/systemd/system/mediadrop.service - echo '[Install]' >> /etc/systemd/system/mediadrop.service - echo 'WantedBy=multi-user.target' >> /etc/systemd/system/mediadrop.service - systemctl enable mediadrop - systemctl daemon-reload - systemctl start mediadrop - - # onion address - MEDIA_SERVER_ONION_HOSTNAME=$(add_onion_service mediadrop 80 ${MEDIA_SERVER_ONION_PORT}) - if ! grep -q "Media server onion domain" $COMPLETION_FILE; then - echo "Media server onion domain:${MEDIA_SERVER_ONION_HOSTNAME}" >> $COMPLETION_FILE - else - sed -i "s|Media server onion domain.*|Media server onion domain:${MEDIA_SERVER_ONION_HOSTNAME}|g" $COMPLETION_FILE - fi - if [[ $MEDIA_SERVER_ONION_HOSTNAME == *"not found"* ]]; then - echo $'Problem creating onion address for mediadrop' - exit 72963 - fi - - if [[ $ONION_ONLY == 'no' ]]; then - nginx_http_redirect $MEDIA_SERVER_DOMAIN_NAME - echo 'server {' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo ' listen 443;' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo " server_name $MEDIA_SERVER_DOMAIN_NAME;" >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo " access_log /var/log/nginx/${MEDIA_SERVER_DOMAIN_NAME}.log;" >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo " error_log /var/log/nginx/${MEDIA_SERVER_DOMAIN_NAME}.log;" >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - nginx_ssl $MEDIA_SERVER_DOMAIN_NAME - nginx_disable_sniffing $MEDIA_SERVER_DOMAIN_NAME - nginx_limits $MEDIA_SERVER_DOMAIN_NAME '15m' - echo '' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo " root ${MEDIA_SERVER_WORKING_DIRECTORY}/public;" >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo ' location ~* ^/(appearance)/ {' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo " root ${MEDIA_SERVER_WORKING_DIRECTORY}/data ;" >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo ' break;' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo ' location ~* ^(/images\/media|images\/podcasts) {' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo " root ${MEDIA_SERVER_WORKING_DIRECTORY}/data ;" >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo ' break;' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo ' location ~* ^/(styles|scripts|images)/ {' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo ' expires max;' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo ' add_header Cache-Control "public";' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo ' break;' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo ' location /__mediacore_serve__ {' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo " alias ${MEDIA_SERVER_WORKING_DIRECTORY}/data/media;" >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo ' internal;' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo ' location / {' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo ' uwsgi_pass unix:///tmp/uwsgi-mediadrop.soc;' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo ' include uwsgi_params;' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo " uwsgi_param SCRIPT_NAME '';" >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo '}' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - - create_site_certificate $MEDIA_SERVER_DOMAIN_NAME - add_ddns_domain $MEDIA_SERVER_DOMAIN_NAME - else - echo -n '' > /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - fi - - echo 'server {' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo " listen 127.0.0.1:${MEDIA_SERVER_ONION_PORT} default_server;" >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo " server_name $MEDIA_SERVER_ONION_HOSTNAME;" >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo " access_log /var/log/nginx/${MEDIA_SERVER_DOMAIN_NAME}.log;" >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo " error_log /var/log/nginx/${MEDIA_SERVER_DOMAIN_NAME}.log;" >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - nginx_disable_sniffing $MEDIA_SERVER_DOMAIN_NAME - nginx_limits $MEDIA_SERVER_DOMAIN_NAME '15m' - echo '' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo " root ${MEDIA_SERVER_WORKING_DIRECTORY}/public;" >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo ' location ~* ^/(appearance)/ {' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo " root ${MEDIA_SERVER_WORKING_DIRECTORY}/data ;" >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo ' break;' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo ' location ~* ^(/images\/media|images\/podcasts) {' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo " root ${MEDIA_SERVER_WORKING_DIRECTORY}/data ;" >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo ' break;' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo ' location ~* ^/(styles|scripts|images)/ {' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo ' expires max;' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo ' add_header Cache-Control "public";' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo ' break;' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo ' location /__mediacore_serve__ {' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo " alias ${MEDIA_SERVER_WORKING_DIRECTORY}/data/media;" >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo ' internal;' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo '' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo ' location / {' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo ' uwsgi_pass unix:///tmp/uwsgi-mediadrop.soc;' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo ' include uwsgi_params;' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo " uwsgi_param SCRIPT_NAME '';" >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo ' }' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - echo '}' >> /etc/nginx/sites-available/$MEDIA_SERVER_DOMAIN_NAME - - nginx_ensite $MEDIA_SERVER_DOMAIN_NAME - systemctl restart php5-fpm - systemctl restart nginx - - if ! grep -q "Media server domain" $COMPLETION_FILE; then - echo "Media server domain:$MEDIA_SERVER_DOMAIN_NAME" >> $COMPLETION_FILE - else - sed -i "s/Media server domain.*/Media server domain:$MEDIA_SERVER_DOMAIN_NAME/g" $COMPLETION_FILE - fi - - if ! grep -q $"Media Server" /home/$MY_USERNAME/README; then - echo '' >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - echo $'Media Server' >> /home/$MY_USERNAME/README - echo '============' >> /home/$MY_USERNAME/README - echo $"Media server administrator nickname: mediadropadmin" >> /home/$MY_USERNAME/README - echo $"Media server administrator password: $MEDIA_SERVER_ADMIN_PASSWORD" >> /home/$MY_USERNAME/README - chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README - chmod 600 /home/$MY_USERNAME/README - fi - - echo 'install_media_server' >> $COMPLETION_FILE -} - -function install_mediagoblin { - if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - if [ ! $MEDIAGOBLIN_DOMAIN_NAME ]; then - return - fi - - MEDIAGOBLIN_WORKING_DIRECTORY=/var/www/$MEDIAGOBLIN_DOMAIN_NAME/htdocs - - # update to a new commit if needed - set_repo_commit $MEDIAGOBLIN_WORKING_DIRECTORY "Mediagoblin commit" "$MEDIAGOBLIN_COMMIT" $MEDIAGOBLIN_REPO - if [ -d $MEDIAGOBLIN_WORKING_DIRECTORY ]; then - chown -hR mediagoblin:www-data $MEDIAGOBLIN_WORKING_DIRECTORY - fi - - if grep -Fxq "install_mediagoblin" $COMPLETION_FILE; then - return - fi - - apt-get -y install git-core python python-dev python-lxml python-pil - apt-get -y install python-virtualenv npm nodejs-legacy automake - apt-get -y install fcgiwrap - - #apt-get -y install postgresql postgresql-client python-psycopg2 - #apt-get -y install python-gst-1.0 libjpeg62-turbo-dev gstreamer1.0-plugins-base python-gobject - #apt-get -y install gstreamer1.0-plugins-good gstreamer1.0-libav libav-tools gstreamer0.10-tools - #apt-get -y install python-numpy python-scipy libsndfile1-dev python-gst0.10-dev - #apt-get -y install gstreamer0.10-plugins-base gstreamer0.10-plugins-good gstreamer1.0-tools - #su -c "createuser -A -D mediagoblin" - postgres - #su -c "createdb -E UNICODE -O mediagoblin mediagoblin" - postgres - - useradd -c "GNU MediaGoblin system account" -d /var/lib/mediagoblin -m -r -g www-data mediagoblin - groupadd mediagoblin - usermod --append -G mediagoblin mediagoblin - - if [ ! -d $MEDIAGOBLIN_WORKING_DIRECTORY ]; then - mkdir -p $MEDIAGOBLIN_WORKING_DIRECTORY - fi - - git_clone $MEDIAGOBLIN_REPO $MEDIAGOBLIN_WORKING_DIRECTORY - cd $MEDIAGOBLIN_WORKING_DIRECTORY - git checkout $MEDIAGOBLIN_COMMIT -b $MEDIAGOBLIN_COMMIT - git submodule init - git submodule update - - if ! grep -q "Mediagoblin commit" $COMPLETION_FILE; then - echo "Mediagoblin commit:$MEDIAGOBLIN_COMMIT" >> $COMPLETION_FILE - else - sed -i "s/Mediagoblin commit.*/Mediagoblin commit:$MEDIAGOBLIN_COMMIT/g" $COMPLETION_FILE - fi - - chown -hR mediagoblin:www-data $MEDIAGOBLIN_WORKING_DIRECTORY - su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bootstrap.sh" - mediagoblin - if [ ! "$?" = "0" ]; then - exit 278826 - fi - - su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./configure" - mediagoblin - if [ ! "$?" = "0" ]; then - exit 462826 - fi - - su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && make" - mediagoblin - if [ ! "$?" = "0" ]; then - exit 738229 - fi - - if [ ! -d $MEDIAGOBLIN_WORKING_DIRECTORY/user_dev ]; then - mkdir $MEDIAGOBLIN_WORKING_DIRECTORY/user_dev - fi - chmod 750 $MEDIAGOBLIN_WORKING_DIRECTORY/user_dev - su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install flup==1.0.3.dev-20110405" - mediagoblin - su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade billiard" - mediagoblin - su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade Paste" - mediagoblin - su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade amqp" - mediagoblin - su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade anyjson" - mediagoblin - su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade py-bcrypt" - mediagoblin - su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade wtforms" - mediagoblin - su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade python-dateutil" - mediagoblin - su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade alembic" - mediagoblin - su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade waitress" - mediagoblin - su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade imagesize" - mediagoblin - su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade alabaster" - mediagoblin - su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade snowballstemmer" - mediagoblin - su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade docutils" - mediagoblin - su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade Pygments" - mediagoblin - su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade beautifulsoup4" - mediagoblin - su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade WebOb" - mediagoblin - su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade py" - mediagoblin - su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade execnet" - mediagoblin - - # create some directories - mkdir /var/log/mediagoblin - chown -hR mediagoblin:www-data /var/log/mediagoblin - mkdir /var/run/mediagoblin - chown -hR mediagoblin:www-data /var/run/mediagoblin - - if [ ! -f $MEDIAGOBLIN_WORKING_DIRECTORY/mediagoblin.ini ]; then - echo $'mediagoblin.ini not found' - exit 737529 - fi - if [ ! -f $MEDIAGOBLIN_WORKING_DIRECTORY/paste.ini ]; then - echo $'paste.ini not found' - exit 52762 - fi - - cp -av mediagoblin.ini mediagoblin_local.ini - cp -av paste.ini paste_local.ini - - chown -hR mediagoblin:www-data $MEDIAGOBLIN_WORKING_DIRECTORY - - # init with systemd - echo '[Unit]' > /etc/systemd/system/mediagoblin-celeryd.service - echo 'Description=Mediagoblin Celeryd' >> /etc/systemd/system/mediagoblin-celeryd.service - echo 'After=syslog.target' >> /etc/systemd/system/mediagoblin-celeryd.service - echo 'After=network.target' >> /etc/systemd/system/mediagoblin-celeryd.service - echo '' >> /etc/systemd/system/mediagoblin-celeryd.service - echo '[Service]' >> /etc/systemd/system/mediagoblin-celeryd.service - echo 'User=mediagoblin' >> /etc/systemd/system/mediagoblin-celeryd.service - echo 'Group=mediagoblin' >> /etc/systemd/system/mediagoblin-celeryd.service - echo 'Type=simple' >> /etc/systemd/system/mediagoblin-celeryd.service - echo "WorkingDirectory=$MEDIAGOBLIN_WORKING_DIRECTORY" >> /etc/systemd/system/mediagoblin-celeryd.service - echo "Environment=MEDIAGOBLIN_CONFIG=$MEDIAGOBLIN_WORKING_DIRECTORY/mediagoblin_local.ini \\" >> /etc/systemd/system/mediagoblin-celeryd.service - echo ' CELERY_CONFIG_MODULE=mediagoblin.init.celery.from_celery' >> /etc/systemd/system/mediagoblin-celeryd.service - echo "ExecStart=$MEDIAGOBLIN_WORKING_DIRECTORY/bin/celery worker \\" >> /etc/systemd/system/mediagoblin-celeryd.service - echo ' --logfile=/var/log/mediagoblin/celery.log \' >> /etc/systemd/system/mediagoblin-celeryd.service - echo ' --loglevel=INFO' >> /etc/systemd/system/mediagoblin-celeryd.service - echo 'PIDFile=/var/run/mediagoblin/mediagoblin-celeryd.pid' >> /etc/systemd/system/mediagoblin-celeryd.service - echo '' >> /etc/systemd/system/mediagoblin-celeryd.service - echo '[Install]' >> /etc/systemd/system/mediagoblin-celeryd.service - echo 'WantedBy=multi-user.target' >> /etc/systemd/system/mediagoblin-celeryd.service - - echo '[Unit]' > /etc/systemd/system/mediagoblin-paster.service - echo 'Description=Mediagoblin' >> /etc/systemd/system/mediagoblin-paster.service - echo 'After=syslog.target' >> /etc/systemd/system/mediagoblin-paster.service - echo 'After=network.target' >> /etc/systemd/system/mediagoblin-paster.service - echo '' >> /etc/systemd/system/mediagoblin-paster.service - echo '[Service]' >> /etc/systemd/system/mediagoblin-paster.service - echo 'Type=forking' >> /etc/systemd/system/mediagoblin-paster.service - echo 'User=mediagoblin' >> /etc/systemd/system/mediagoblin-paster.service - echo 'Group=mediagoblin' >> /etc/systemd/system/mediagoblin-paster.service - echo 'Environment=CELERY_ALWAYS_EAGER=false' >> /etc/systemd/system/mediagoblin-paster.service - echo "WorkingDirectory=$MEDIAGOBLIN_WORKING_DIRECTORY" >> /etc/systemd/system/mediagoblin-paster.service - echo "ExecStart=$MEDIAGOBLIN_WORKING_DIRECTORY/bin/paster serve \\" >> /etc/systemd/system/mediagoblin-paster.service - echo " $MEDIAGOBLIN_WORKING_DIRECTORY/paste_local.ini \\" >> /etc/systemd/system/mediagoblin-paster.service - echo ' --pid-file=/var/run/mediagoblin/mediagoblin.pid \' >> /etc/systemd/system/mediagoblin-paster.service - echo ' --log-file=/var/log/mediagoblin/mediagoblin.log \' >> /etc/systemd/system/mediagoblin-paster.service - echo ' --daemon \' >> /etc/systemd/system/mediagoblin-paster.service - echo ' --server-name=fcgi fcgi_host=127.0.0.1 fcgi_port=26543' >> /etc/systemd/system/mediagoblin-paster.service - echo "ExecStop=$MEDIAGOBLIN_WORKING_DIRECTORY/bin/paster serve \\" >> /etc/systemd/system/mediagoblin-paster.service - echo ' --pid-file=/var/run/mediagoblin/mediagoblin.pid \' >> /etc/systemd/system/mediagoblin-paster.service - echo " $MEDIAGOBLIN_WORKING_DIRECTORY/paste_local.ini stop" >> /etc/systemd/system/mediagoblin-paster.service - echo 'PIDFile=/var/run/mediagoblin/mediagoblin.pid' >> /etc/systemd/system/mediagoblin-paster.service - echo '' >> /etc/systemd/system/mediagoblin-paster.service - echo '[Install]' >> /etc/systemd/system/mediagoblin-paster.service - echo 'WantedBy=multi-user.target' >> /etc/systemd/system/mediagoblin-paster.service - systemctl daemon-reload - systemctl enable mediagoblin-celeryd - systemctl enable mediagoblin-paster - systemctl daemon-reload - systemctl start mediagoblin-celeryd - systemctl start mediagoblin-paster - - MEDIAGOBLIN_ONION_HOSTNAME=$(add_onion_service mediagoblin 80 ${MEDIAGOBLIN_ONION_PORT}) - if ! grep -q "Mediagoblin onion domain" $COMPLETION_FILE; then - echo "Mediagoblin onion domain:${MEDIAGOBLIN_ONION_HOSTNAME}" >> $COMPLETION_FILE - else - sed -i "s|Mediagoblin onion domain.*|Mediagoblin onion domain:${MEDIAGOBLIN_ONION_HOSTNAME}|g" $COMPLETION_FILE - fi - if [[ $MEDIAGOBLIN_ONION_HOSTNAME == *"not found"* ]]; then - echo $'Problem creating onion address for mediagoblin' - exit 672652 - fi - - # web config - MEDIAGOBLIN_VIRTUAL_HOST=/etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME - nginx_http_redirect $MEDIAGOBLIN_DOMAIN_NAME - if [[ $ONION_ONLY == 'no' ]]; then - echo 'server {' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' listen 443 ssl;' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' #################################################' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' # Stock useful config options, but ignore them :)' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' #################################################' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' include /etc/nginx/mime.types;' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' autoindex off;' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' default_type application/octet-stream;' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' sendfile on;' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST - nginx_limits $MEDIAGOBLIN_DOMAIN_NAME '20m' - nginx_ssl $MEDIAGOBLIN_DOMAIN_NAME - nginx_disable_sniffing $MEDIAGOBLIN_DOMAIN_NAME - echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' # Gzip' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' gzip on;' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' gzip_min_length 1024;' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' gzip_buffers 4 32k;' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' gzip_types text/plain application/x-javascript text/javascript text/xml text/css;' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' #####################################' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' # Mounting MediaGoblin stuff' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' # This is the section you should read' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' #####################################' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo " server_name $MEDIAGOBLIN_DOMAIN_NAME;" >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' access_log /var/log/nginx/mediagoblin.log;' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' error_log /var/log/nginx/mediagoblin.error.log;' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' # MediaGoblins stock static files: CSS, JS, etc.' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' location /mgoblin_static/ {' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo " alias $MEDIAGOBLIN_WORKING_DIRECTORY/mediagoblin/static/;" >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' }' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' # Instance specific media:' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' location /mgoblin_media/ {' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo " alias $MEDIAGOBLIN_WORKING_DIRECTORY/user_dev/media/public/;" >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' }' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' # Theme static files (usually symlinked in)' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' location /theme_static/ {' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo " alias $MEDIAGOBLIN_WORKING_DIRECTORY/user_dev/theme_static/;" >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' }' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' # Plugin static files (usually symlinked in)' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' location /plugin_static/ {' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo " alias $MEDIAGOBLIN_WORKING_DIRECTORY/user_dev/plugin_static/;" >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' }' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' # Mounting MediaGoblin itself via FastCGI.' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' location / {' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' fastcgi_pass 127.0.0.1:26543;' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' include /etc/nginx/fastcgi_params;' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' # our understanding vs nginxs handling of script_name vs' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' # path_info dont match :)' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' fastcgi_param PATH_INFO $fastcgi_script_name;' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' fastcgi_param SCRIPT_NAME "";' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' }' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo '}' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST - else - echo -n '' > $MEDIAGOBLIN_VIRTUAL_HOST - fi - - echo 'server {' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo " listen 127.0.0.1:${MEDIAGOBLIN_ONION_PORT} default_server;" >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' #################################################' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' # Stock useful config options, but ignore them :)' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' #################################################' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' include /etc/nginx/mime.types;' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' autoindex off;' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' default_type application/octet-stream;' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' sendfile on;' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST - nginx_limits $MEDIAGOBLIN_DOMAIN_NAME '20m' - nginx_disable_sniffing $MEDIAGOBLIN_DOMAIN_NAME - echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' # Gzip' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' gzip on;' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' gzip_min_length 1024;' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' gzip_buffers 4 32k;' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' gzip_types text/plain application/x-javascript text/javascript text/xml text/css;' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' #####################################' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' # Mounting MediaGoblin stuff' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' # This is the section you should read' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' #####################################' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo " server_name $MEDIAGOBLIN_ONION_HOSTNAME;" >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' access_log /var/log/nginx/mediagoblin.log;' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' error_log /var/log/nginx/mediagoblin.error.log;' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' # MediaGoblins stock static files: CSS, JS, etc.' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' location /mgoblin_static/ {' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo " alias $MEDIAGOBLIN_WORKING_DIRECTORY/mediagoblin/static/;" >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' }' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' # Instance specific media:' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' location /mgoblin_media/ {' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo " alias $MEDIAGOBLIN_WORKING_DIRECTORY/user_dev/media/public/;" >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' }' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' # Theme static files (usually symlinked in)' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' location /theme_static/ {' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo " alias $MEDIAGOBLIN_WORKING_DIRECTORY/user_dev/theme_static/;" >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' }' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' # Plugin static files (usually symlinked in)' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' location /plugin_static/ {' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo " alias $MEDIAGOBLIN_WORKING_DIRECTORY/user_dev/plugin_static/;" >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' }' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' # Mounting MediaGoblin itself via FastCGI.' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' location / {' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' fastcgi_pass 127.0.0.1:26543;' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' include /etc/nginx/fastcgi_params;' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' # our understanding vs nginxs handling of script_name vs' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' # path_info dont match :)' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' fastcgi_param PATH_INFO $fastcgi_script_name;' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' fastcgi_param SCRIPT_NAME "";' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo ' }' >> $MEDIAGOBLIN_VIRTUAL_HOST - echo '}' >> $MEDIAGOBLIN_VIRTUAL_HOST - - create_site_certificate $MEDIAGOBLIN_DOMAIN_NAME - - nginx_ensite $MEDIAGOBLIN_DOMAIN_NAME - systemctl restart php5-fpm - systemctl restart nginx - - add_ddns_domain $MEDIAGOBLIN_DOMAIN_NAME - - if ! grep -q "Mediagoblin domain" $COMPLETION_FILE; then - echo "Mediagoblin domain:$MEDIAGOBLIN_DOMAIN_NAME" >> $COMPLETION_FILE - else - sed -i "s/Mediagoblin domain.*/Mediagoblin domain:$MEDIAGOBLIN_DOMAIN_NAME/g" $COMPLETION_FILE - fi - - echo 'install_mediagoblin' >> $COMPLETION_FILE -} - -function create_upgrade_script { - if [ -f /usr/local/bin/${PROJECT_NAME}-upgrade ]; then - cp /usr/local/bin/${PROJECT_NAME}-upgrade /etc/cron.weekly/$UPGRADE_SCRIPT_NAME - else - cp /usr/bin/${PROJECT_NAME}-upgrade /etc/cron.weekly/$UPGRADE_SCRIPT_NAME - fi - - if grep -Fxq "create_upgrade_script" $COMPLETION_FILE; then - return - fi - - apt-get -y install unattended-upgrades - - echo 'create_upgrade_script' >> $COMPLETION_FILE -} - -function intrusion_detection { - if grep -Fxq "intrusion_detection" $COMPLETION_FILE; then - return - fi - if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - apt-get -y install tripwire - apt-get -y autoremove - cd /etc/tripwire - cp site.key $DEFAULT_DOMAIN_NAME-site.key - echo '*** Installing intrusion detection ***' - echo ' - -' | tripwire --init - - # make a script for easy resetting of the tripwire - echo '#!/bin/sh' > /usr/bin/reset-tripwire - echo 'tripwire --update-policy --secure-mode low /etc/tripwire/twpol.txt' >> /usr/bin/reset-tripwire - chmod +x /usr/bin/reset-tripwire - - sed -i 's/SYSLOGREPORTING.*/SYSLOGREPORTING =false/g' /etc/tripwire/twcfg.txt - # only send emails if something has changed - sed -i 's|MAILNOVIOLATIONS.*|MAILNOVIOLATIONS = false|g' /etc/tripwire/twcfg.txt - sed -i '/# These files change the behavior of the root account/,/}/ s/.*//g' /etc/tripwire/twpol.txt - sed -i 's|/etc/rc.boot.*||g' /etc/tripwire/twpol.txt - # Don't show any changes to /proc - sed -i 's|/proc.*||g' /etc/tripwire/twpol.txt - # Don't report log changes - sed -i 's|/var/log.*||g' /etc/tripwire/twpol.txt - # Ignore /etc/tripwire - if ! grep -q '!/etc/tripwire' /etc/tripwire/twpol.txt; then - sed -i '\|/etc\t\t->.*|a\ !/etc/tripwire ;' /etc/tripwire/twpol.txt - fi - # ignore tt-rss cache - if ! grep -q '!/etc/share/tt-rss/cache' /etc/tripwire/twpol.txt; then - sed -i '\|/etc\t\t->.*|a\ !/etc/share/tt-rss/cache ;' /etc/tripwire/twpol.txt - fi - if ! grep -q '!/etc/share/tt-rss/lock' /etc/tripwire/twpol.txt; then - sed -i '\|/etc\t\t->.*|a\ !/etc/share/tt-rss/lock ;' /etc/tripwire/twpol.txt - fi - # Avoid logging the changed database - sed -i 's|$(TWETC)/tw.pol.*||g' /etc/tripwire/twpol.txt - # recreate the configuration - echo ' - - ' | twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt - # reset - echo ' - - - - ' | reset-tripwire - - echo 'intrusion_detection' >> $COMPLETION_FILE -} - -# see https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy -# Local Redirection and Anonymizing Middlebox -function route_outgoing_traffic_through_tor { - if grep -Fxq "route_outgoing_traffic_through_tor" $COMPLETION_FILE; then - return - fi - if [[ $ROUTE_THROUGH_TOR != "yes" ]]; then - return - fi - apt-get -y install tor tor-arm - - ### set variables - # Destinations you don't want routed through Tor - _non_tor="192.168.1.0/24 192.168.0.0/24" - - # The user that Tor runs as - _tor_uid="debian-tor" - - # Tor's TransPort - _trans_port="9040" - - # Your internal interface - _int_if="eth0" - - ### Set iptables *nat - iptables -t nat -A OUTPUT -o lo -j RETURN - iptables -t nat -A OUTPUT -m owner --uid-owner $_tor_uid -j RETURN - iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53 - - # Allow clearnet access for hosts in $_non_tor - for _clearnet in $_non_tor; do - iptables -t nat -A OUTPUT -d $_clearnet -j RETURN - iptables -t nat -A PREROUTING -i $_int_if -d $_clearnet -j RETURN - done - - # Redirect all other pre-routing and output to Tor - iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $_trans_port - iptables -t nat -A PREROUTING -i $_int_if -p udp --dport 53 -j REDIRECT --to-ports 53 - iptables -t nat -A PREROUTING -i $_int_if -p tcp --syn -j REDIRECT --to-ports $_trans_port - - ### set iptables *filter - iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT - - # Allow clearnet access for hosts in $_non_tor - for _clearnet in $_non_tor 127.0.0.0/8; do - iptables -A OUTPUT -d $_clearnet -j ACCEPT - done - - # Allow only Tor output - iptables -A OUTPUT -m owner --uid-owner $_tor_uid -j ACCEPT - iptables -A OUTPUT -j REJECT - - save_firewall_settings - - if ! grep -q "fs.file-max" /etc/sysctl.conf; then - echo "fs.file-max=100000" >> /etc/sysctl.conf - /sbin/sysctl -p - fi - - echo 'domain localdomain' > /etc/resolv.conf - echo 'search localdomain' >> /etc/resolv.conf - echo 'nameserver 127.0.0.1' >> /etc/resolv.conf - - if ! grep -q "VirtualAddrNetworkIPv4" /etc/tor/torrc; then - echo 'VirtualAddrNetworkIPv4 10.192.0.0/10' >> /etc/tor/torrc - fi - - if ! grep -q "AutomapHostsOnResolve" /etc/tor/torrc; then - echo 'AutomapHostsOnResolve 1' >> /etc/tor/torrc - fi - - if ! grep -q "TransPort" /etc/tor/torrc; then - echo 'TransPort 9040' >> /etc/tor/torrc - fi - - if ! grep -q "TransListenAddress 127.0.0.1" /etc/tor/torrc; then - echo 'TransListenAddress 127.0.0.1' >> /etc/tor/torrc - fi - - if ! grep -q "TransListenAddress $LOCAL_NETWORK_STATIC_IP_ADDRESS" /etc/tor/torrc; then - echo "TransListenAddress $LOCAL_NETWORK_STATIC_IP_ADDRESS" >> /etc/tor/torrc - fi - - if ! grep -q "DNSPort" /etc/tor/torrc; then - echo 'DNSPort 53' >> /etc/tor/torrc - fi - - if ! grep -q "DNSListenAddress 127.0.0.1" /etc/tor/torrc; then - echo 'DNSListenAddress 127.0.0.1' >> /etc/tor/torrc - fi - - if ! grep -q "DNSListenAddress $LOCAL_NETWORK_STATIC_IP_ADDRESS" /etc/tor/torrc; then - echo "DNSListenAddress $LOCAL_NETWORK_STATIC_IP_ADDRESS" >> /etc/tor/torrc - fi - - echo 'route_outgoing_traffic_through_tor' >> $COMPLETION_FILE -} - -# A command to create a git repository for a project -function create_git_project { - if grep -Fxq "create_git_project" $COMPLETION_FILE; then - return - fi - apt-get -y install git - - echo '#!/bin/bash' > /usr/bin/$CREATE_GIT_PROJECT_COMMAND - echo '' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND - echo 'GIT_PROJECT_NAME=$1' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND - echo 'if [ ! $GIT_PROJECT_NAME ]; then' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND - echo ' echo "Please specify a project name, without any spaces"' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND - echo ' exit 1' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND - echo 'fi' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND - echo '' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND - echo 'if [ ! -d /home/$USER/projects/$GIT_PROJECT_NAME ]; then' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND - echo ' mkdir -p /home/$USER/projects/$GIT_PROJECT_NAME' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND - echo 'fi' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND - echo '' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND - echo 'cd /home/$USER/projects/$GIT_PROJECT_NAME' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND - echo 'git init --bare' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND - echo '' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND - echo -n 'echo "Your project has been created, ' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND - echo 'use the following command to clone the repository"' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND - echo -n " git clone ssh://$MY_USERNAME@$DEFAULT_DOMAIN_NAME:$SSH_PORT" >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND - echo '/home/$USER/projects/$GIT_PROJECT_NAME' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND - echo '' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND - echo 'exit 0' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND - chmod +x /usr/bin/$CREATE_GIT_PROJECT_COMMAND - - echo 'create_git_project' >> $COMPLETION_FILE -} - -function check_date { - curr_date=$(date) - if [[ $curr_date == *"1970"* ]]; then - apt-get -y install ntp - fi -} - -function install_dynamicdns { - if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then - return - fi - if [[ $ONION_ONLY != "no" ]]; then - return - fi - - # update to the next commit - set_repo_commit $INSTALL_DIR/inadyn "inadyn commit" "$INADYN_COMMIT" $INADYN_REPO - - if grep -Fxq "install_dynamicdns" $COMPLETION_FILE; then - return - fi - - # Here we compile from source because the current package - # doesn't support https, which could result in passwords - # being leaked - # Debian version 1.99.4-1 - # https version 1.99.8 - - apt-get -y install build-essential curl libgnutls28-dev automake1.11 - if [ ! -d $INSTALL_DIR/inadyn ]; then - git_clone $INADYN_REPO $INSTALL_DIR/inadyn - fi - if [ ! -d $INSTALL_DIR/inadyn ]; then - echo 'inadyn repo not cloned' - echo -n | openssl s_client -showcerts -connect github.com:443 -CApath /etc/ssl/certs - exit 6785 - fi - cd $INSTALL_DIR/inadyn - git checkout $INADYN_COMMIT -b $INADYN_COMMIT - if ! grep -q "inadyn commit" $COMPLETION_FILE; then - echo "inadyn commit:$INADYN_COMMIT" >> $COMPLETION_FILE - else - sed -i "s/inadyn commit.*/inadyn commit:$INADYN_COMMIT/g" $COMPLETION_FILE - fi - - ./configure - if [ ! "$?" = "0" ]; then - exit 74890 - fi - USE_OPENSSL=1 make - if [ ! "$?" = "0" ]; then - exit 74858 - fi - make install - if [ ! "$?" = "0" ]; then - exit 3785 - fi - - # create an unprivileged user - #useradd -r -s /bin/false debian-inadyn - - # create a configuration file - echo 'background' > /etc/inadyn.conf - echo 'verbose 1' >> /etc/inadyn.conf - echo 'period 300' >> /etc/inadyn.conf - echo 'startup-delay 60' >> /etc/inadyn.conf - echo 'cache-dir /run/inadyn' >> /etc/inadyn.conf - echo 'logfile /dev/null' >> /etc/inadyn.conf - chmod 600 /etc/inadyn.conf - - echo '[Unit]' > /etc/systemd/system/inadyn.service - echo 'Description=inadyn (DynDNS updater)' >> /etc/systemd/system/inadyn.service - echo 'After=network.target' >> /etc/systemd/system/inadyn.service - echo '' >> /etc/systemd/system/inadyn.service - echo '[Service]' >> /etc/systemd/system/inadyn.service - echo 'ExecStart=/usr/local/sbin/inadyn --config /etc/inadyn.conf' >> /etc/systemd/system/inadyn.service - echo 'Restart=always' >> /etc/systemd/system/inadyn.service - echo 'Type=forking' >> /etc/systemd/system/inadyn.service - echo '' >> /etc/systemd/system/inadyn.service - echo '[Install]' >> /etc/systemd/system/inadyn.service - echo 'WantedBy=multi-user.target' >> /etc/systemd/system/inadyn.service - systemctl enable inadyn - systemctl start inadyn - systemctl daemon-reload - - echo 'install_dynamicdns' >> $COMPLETION_FILE -} - -function get_voip_server_password { - if [ -f /home/$MY_USERNAME/README ]; then - if grep -q "VoIP server password" /home/$MY_USERNAME/README; then - if [ ! $VOIP_SERVER_PASSWORD ]; then - VOIP_SERVER_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "VoIP server password" | awk -F ':' '{print $2}' | sed 's/^ *//') - fi - fi - fi -} - -function get_sip_server_password { - if [ -f /home/$MY_USERNAME/README ]; then - if grep -q "SIP server password" /home/$MY_USERNAME/README; then - if [ ! $SIP_SERVER_PASSWORD ]; then - SIP_SERVER_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "SIP server password" | awk -F ':' '{print $2}' | sed 's/^ *//') - fi - fi - fi -} - -function install_ipfs { - if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" ]]; then - return - fi - - select_go_version - - # update to the next commit - set_repo_commit $GOPATH/src/github.com/ipfs/go-ipfs "ipfs commit" "$IPFS_COMMIT" $IPFS_REPO - - if grep -Fxq "install_ipfs" $COMPLETION_FILE; then - return - fi - - apt-get -y install golang libpam0g-dev fuse - - if [ ! -d /home/git ]; then - # add a gogs user account - adduser --disabled-login --gecos 'Gogs' git - - # install Go - if ! grep -q "export GOPATH=" ~/.bashrc; then - echo "export GOPATH=$GOPATH" >> ~/.bashrc - else - sed -i "s|export GOPATH=.*|export GOPATH=$GOPATH|g" ~/.bashrc - fi - systemctl set-environment GOPATH=$GOPATH - if ! grep -q "systemctl set-environment GOPATH=" ~/.bashrc; then - echo "systemctl set-environment GOPATH=$GOPATH" >> ~/.bashrc - else - sed -i "s|systemctl set-environment GOPATH=.*|systemctl set-environment GOPATH=$GOPATH|g" ~/.bashrc - fi - if [ ! -d $GOPATH ]; then - mkdir -p $GOPATH - fi - fi - - IPFS_PATH=$GOPATH/bin - export PATH="$GOPATH/bin:$PATH:" - if ! grep -q 'GOPATH/bin' ~/.bashrc; then - echo 'export PATH="$GOPATH/bin:$PATH:";' >> ~/.bashrc - else - sed -i "s|systemctl set-environment GOPATH=.*|systemctl set-environment GOPATH=$GOPATH|g" ~/.bashrc - fi - - # set gopath for the user - if ! grep -q "GOPATH=" /home/$MY_USERNAME/.bashrc; then - echo "export GOPATH=$GOPATH" >> /home/$MY_USERNAME/.bashrc - echo 'export PATH="$GOPATH/bin:$PATH:";' >> /home/$MY_USERNAME/.bashrc - else - sed -i "s|export GOPATH=.*|export GOPATH=$GOPATH|g" /home/$MY_USERNAME/.bashrc - fi - chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.bashrc - - IPFS_GO_REPO2=$(echo "$IPFS_GO_REPO" | sed 's|https://||g') - go get -u ${IPFS_GO_REPO2}/cmd/ipfs - if [ ! "$?" = "0" ]; then - exit 8242 - fi - - cd $GOPATH/src/$IPFS_GO_REPO2 - git checkout $IPFS_COMMIT -b $IPFS_COMMIT - if ! grep -q "ipfs commit" $COMPLETION_FILE; then - echo "ipfs commit:$IPFS_COMMIT" >> $COMPLETION_FILE - else - sed -i "s/ipfs commit.*/ipfs commit:$IPFS_COMMIT/g" $COMPLETION_FILE - fi - - # initialise - su -c "$IPFS_PATH/ipfs init -b 4096" - $MY_USERNAME - if [ ! -d /home/$MY_USERNAME/.ipfs ]; then - echo "IPFS could not be initialised for user $MY_USERNAME" - exit 7358 - fi - - # directories to mount to - if [ ! -d /ipfs ]; then - mkdir /ipfs - mkdir /ipns - chown $MY_USERNAME:$MY_USERNAME /ipfs - chown $MY_USERNAME:$MY_USERNAME /ipns - fi - - if [ -f /etc/fuse.conf ]; then - chown $MY_USERNAME:$MY_USERNAME /etc/fuse.conf - fi - if [ -f /dev/fuse ]; then - chown $MY_USERNAME:$MY_USERNAME /dev/fuse - fi - - echo '[Unit]' > /etc/systemd/system/ipfs.service - echo 'Description=IPFS daemon' >> /etc/systemd/system/ipfs.service - echo 'After=syslog.target' >> /etc/systemd/system/ipfs.service - echo 'After=network.target' >> /etc/systemd/system/ipfs.service - echo '' >> /etc/systemd/system/ipfs.service - echo '[Service]' >> /etc/systemd/system/ipfs.service - echo 'Type=simple' >> /etc/systemd/system/ipfs.service - echo "User=$MY_USERNAME" >> /etc/systemd/system/ipfs.service - echo "Group=$MY_USERNAME" >> /etc/systemd/system/ipfs.service - echo "WorkingDirectory=/home/$MY_USERNAME" >> /etc/systemd/system/ipfs.service - echo "ExecStart=$IPFS_PATH/ipfs daemon --mount" >> /etc/systemd/system/ipfs.service - echo 'Restart=on-failure' >> /etc/systemd/system/ipfs.service - echo "Environment=\"USER=$MY_USERNAME\" \"HOME=/home/$MY_USERNAME\" \"GOPATH=$GOPATH\" \"GVM_ROOT=$GVM_HOME\"" >> /etc/systemd/system/ipfs.service - echo '' >> /etc/systemd/system/ipfs.service - echo '[Install]' >> /etc/systemd/system/ipfs.service - echo 'WantedBy=multi-user.target' >> /etc/systemd/system/ipfs.service - - systemctl enable ipfs - systemctl daemon-reload - systemctl restart ipfs - - if [ -d /etc/avahi ]; then - su -c "echo $($IPFS_PATH/ipfs id | grep '\"ID\":' | awk -F '\"' '{print $4}') > /tmp/ipfsid" - $MY_USERNAME - if [ ! -f /tmp/ipfsid ]; then - echo 'No IPFS identity was created' - exit 37895 - fi - IPFS_PEER_ID=$(cat /tmp/ipfsid) - if [ ${#IPFS_PEER_ID} -lt 10 ]; then - echo 'Invalid IPFS peer ID' - echo "$IPFS_PEER_ID" - exit 74782 - fi - # Add an avahi service - echo '' > /etc/avahi/services/ipfs.service - echo '' >> /etc/avahi/services/ipfs.service - echo '' >> /etc/avahi/services/ipfs.service - echo ' %h IPFS' >> /etc/avahi/services/ipfs.service - echo ' ' >> /etc/avahi/services/ipfs.service - echo ' _ipfs._tcp' >> /etc/avahi/services/ipfs.service - echo " $IPFS_PORT" >> /etc/avahi/services/ipfs.service - echo " $IPFS_PEER_ID" >> /etc/avahi/services/ipfs.service - echo ' ' >> /etc/avahi/services/ipfs.service - echo '' >> /etc/avahi/services/ipfs.service - rm /tmp/ipfsid - fi - - echo 'install_ipfs' >> $COMPLETION_FILE -} - -function install_voip { - if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then - return - fi - if grep -Fxq "install_voip" $COMPLETION_FILE; then - return - fi - apt-get -y install mumble-server - - get_voip_server_password - if [ ! $VOIP_SERVER_PASSWORD ]; then - if [ -f $IMAGE_PASSWORD_FILE ]; then - VOIP_SERVER_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)" - else - VOIP_SERVER_PASSWORD="$(openssl rand -base64 30 | cut -c1-${MINIMUM_PASSWORD_LENGTH})" - if [ ${#VOIP_SERVER_PASSWORD} -lt $MINIMUM_PASSWORD_LENGTH ]; then - VOIP_SERVER_PASSWORD="$(openssl rand -base64 30 | cut -c1-${MINIMUM_PASSWORD_LENGTH})" - fi - fi - fi - - # Make an ssl cert for the server - if [ ! -f /etc/ssl/certs/mumble.dhparam ]; then - ${PROJECT_NAME}-addcert -h mumble --dhkey $DH_KEYLENGTH - check_certificates mumble - fi - - # Check that the cert was created - if [ ! -f /etc/ssl/certs/mumble.crt ]; then - echo $'VoIP server certificate not created' - exit 57892 - fi - if [ ! -f /etc/ssl/private/mumble.key ]; then - echo $'VoIP server key not created' - exit 57893 - fi - if [ ! -d /var/lib/mumble-server ]; then - mkdir /var/lib/mumble-server - fi - cp /etc/ssl/certs/mumble.* /var/lib/mumble-server - cp /etc/ssl/private/mumble.key /var/lib/mumble-server - chown -R mumble-server:mumble-server /var/lib/mumble-server - - sed -i "s|welcometext=.*|welcometext=\"
Welcome to $DEFAULT_DOMAIN_NAME VoIP.
Chat freely!
\"|g" /etc/mumble-server.ini - - if [[ $VOIP_SERVER_PASSWORD && $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then - sed -i "s|serverpassword=.*|serverpassword=$VOIP_SERVER_PASSWORD|g" /etc/mumble-server.ini - fi - - sed -i 's|#autobanAttempts.*|autobanAttempts = 10|g' /etc/mumble-server.ini - sed -i 's|#autobanTimeframe.*|autobanTimeframe = 120|g' /etc/mumble-server.ini - sed -i 's|#autobanTime.*|autobanTime = 300|g' /etc/mumble-server.ini - sed -i 's|#sendversion=.*|sendversion=False|g' /etc/mumble-server.ini - sed -i 's|sendversion=.*|sendversion=False|g' /etc/mumble-server.ini - if ! grep -q "allowping" /etc/mumble-server.ini; then - echo 'allowping=False' >> /etc/mumble-server.ini - fi - sed -i 's|allowping=.*|allowping=False|g' /etc/mumble-server.ini - sed -i 's|#sslCert=.*|sslCert=/var/lib/mumble-server/mumble.crt|g' /etc/mumble-server.ini - sed -i 's|#sslKey=.*|sslKey=/var/lib/mumble-server/mumble.key|g' /etc/mumble-server.ini - sed -i 's|#certrequired=.*|certrequired=True|g' /etc/mumble-server.ini - sed -i 's|users=100|users=10|g' /etc/mumble-server.ini - sed -i 's|#channelnestinglimit=10|channelnestinglimit=10|g' /etc/mumble-server.ini - sed -i 's|#textmessagelength=.*|textmessagelength=1000|g' /etc/mumble-server.ini - sed -i 's|textmessagelength=.*|textmessagelength=1000|g' /etc/mumble-server.ini - sed -i 's|#imagemessagelength=.*|imagemessagelength=131072|g' /etc/mumble-server.ini - sed -i 's|#allowhtml=.*|allowhtml=False|g' /etc/mumble-server.ini - sed -i 's|allowhtml=.*|allowhtml=False|g' /etc/mumble-server.ini - sed -i "s|port=.*|port=${VOIP_PORT}|g" /etc/mumble-server.ini - - VOIP_ONION_HOSTNAME=$(add_onion_service voip ${VOIP_PORT} ${VOIP_PORT}) - if ! grep -q $"VoIP onion domain" $COMPLETION_FILE; then - echo "VoIP onion domain:$VOIP_ONION_HOSTNAME" >> $COMPLETION_FILE - fi - - systemctl restart mumble-server - - if ! grep -q $"VoIP Server" /home/$MY_USERNAME/README; then - echo '' >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - echo $'VoIP Server' >> /home/$MY_USERNAME/README - echo '===========' >> /home/$MY_USERNAME/README - echo $"VoIP onion domain:$VOIP_ONION_HOSTNAME" >> /home/$MY_USERNAME/README - echo $'VoIP server username: mumble-server' >> /home/$MY_USERNAME/README - if [[ $SYSTEM_TYPE != "VARIANT_MESH" ]]; then - echo $"VoIP server password: $VOIP_SERVER_PASSWORD" >> /home/$MY_USERNAME/README - fi - echo '' >> /home/$MY_USERNAME/README - echo $'To connect to the VoIP server use your username and the server password shown above.' >> /home/$MY_USERNAME/README - chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README - chmod 600 /home/$MY_USERNAME/README - fi - - echo 'install_voip' >> $COMPLETION_FILE -} - -function update_sipwitch_daemon { - if [ ! -f /etc/init.d/sipwitch ]; then - return - fi - service sipwitch stop - - # remove the original sipwitch daemon if it exists - if [ -f /etc/init.d/sipwitch ]; then - rm -f /etc/init.d/sipwitch - fi - - # daemon - echo '[Unit]' > /etc/systemd/system/sipwitch.service - echo 'Description=GNU SIP Witch, a SIP telephony service daemon.' >> /etc/systemd/system/sipwitch.service - echo 'After=network.target' >> /etc/systemd/system/sipwitch.service - echo '' >> /etc/systemd/system/sipwitch.service - echo '[Service]' >> /etc/systemd/system/sipwitch.service - echo 'Type=simple' >> /etc/systemd/system/sipwitch.service - echo 'Group=sipwitch' >> /etc/systemd/system/sipwitch.service - echo 'PIDFile=/var/run/sipwitch/pidfile' >> /etc/systemd/system/sipwitch.service - echo 'EnvironmentFile=-/etc/conf.d/sipwitch' >> /etc/systemd/system/sipwitch.service - echo 'EnvironmentFile=-/etc/sipwitch.conf' >> /etc/systemd/system/sipwitch.service - echo 'EnvironmentFile=-/etc/default/sipwitch' >> /etc/systemd/system/sipwitch.service - echo 'ExecStartPre=-/bin/rm -f /var/run/sipwitch/control' >> /etc/systemd/system/sipwitch.service - echo "ExecStart=/usr/sbin/sipw -f \$OPTIONS -P$SIP_PORT" >> /etc/systemd/system/sipwitch.service - echo 'Restart=always' >> /etc/systemd/system/sipwitch.service - echo 'NotifyAccess=main' >> /etc/systemd/system/sipwitch.service - echo '' >> /etc/systemd/system/sipwitch.service - echo '[Install]' >> /etc/systemd/system/sipwitch.service - echo 'WantedBy=multi-user.target' >> /etc/systemd/system/sipwitch.service - - systemctl enable sipwitch - systemctl daemon-reload - systemctl start sipwitch -} - -function install_sip { - if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then - return - fi - if grep -Fxq "install_sip" $COMPLETION_FILE; then - return - fi - - apt-get -y install sipwitch - - get_sip_server_password - if [ ! $SIP_SERVER_PASSWORD ]; then - if [ -f $IMAGE_PASSWORD_FILE ]; then - SIP_SERVER_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)" - else - SIP_SERVER_PASSWORD="$(openssl rand -base64 30 | cut -c1-${MINIMUM_PASSWORD_LENGTH})" - fi - fi - - echo '' > /etc/sipwitch.conf - echo '' >> /etc/sipwitch.conf - echo '' >> /etc/sipwitch.conf - - echo "" >> /etc/sipwitch.conf - echo '201' >> /etc/sipwitch.conf - echo "$SIP_SERVER_PASSWORD" >> /etc/sipwitch.conf - echo "$MY_USERNAME 201" >> /etc/sipwitch.conf - echo '' >> /etc/sipwitch.conf - - echo '' >> /etc/sipwitch.conf - echo '' >> /etc/sipwitch.conf - echo '' >> /etc/sipwitch.conf - echo '' >> /etc/sipwitch.conf - echo " $DEFAULT_DOMAIN_NAME" >> /etc/sipwitch.conf - echo ' 200' >> /etc/sipwitch.conf - echo ' 2' >> /etc/sipwitch.conf - echo ' *' >> /etc/sipwitch.conf - echo ' false' >> /etc/sipwitch.conf - echo ' system' >> /etc/sipwitch.conf - echo ' anonymous' >> /etc/sipwitch.conf - echo '' >> /etc/sipwitch.conf - echo '' >> /etc/sipwitch.conf - echo ' ' >> /etc/sipwitch.conf - echo ' 4' >> /etc/sipwitch.conf - echo ' ' >> /etc/sipwitch.conf - echo ' 4' >> /etc/sipwitch.conf - echo ' ' >> /etc/sipwitch.conf - echo ' 6' >> /etc/sipwitch.conf - echo '' >> /etc/sipwitch.conf - echo '' >> /etc/sipwitch.conf - echo '' >> /etc/sipwitch.conf - echo ' 200' >> /etc/sipwitch.conf - echo ' 100' >> /etc/sipwitch.conf - echo ' 77' >> /etc/sipwitch.conf - echo ' 200' >> /etc/sipwitch.conf - echo ' ' >> /etc/sipwitch.conf - echo '' >> /etc/sipwitch.conf - echo '' >> /etc/sipwitch.conf - echo '' >> /etc/sipwitch.conf - echo '' >> /etc/sipwitch.conf - - sed -i 's|#PLUGINS=|PLUGINS=|g' /etc/default/sipwitch - sed -i 's|PLUGINS=.*|PLUGINS="zeroconf subscriber forward"|g' /etc/default/sipwitch - groupadd sipwitch - usermod -aG sipwitch $MY_USERNAME - - SIP_ONION_HOSTNAME=$(add_onion_service sip ${SIP_PORT} ${SIP_PORT}) - if ! grep -q $"SIP onion domain" $COMPLETION_FILE; then - echo "SIP onion domain:$SIP_ONION_HOSTNAME" >> $COMPLETION_FILE - fi - - if ! grep -q $"SIP Server" /home/$MY_USERNAME/README; then - echo '' >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - echo $'SIP Server' >> /home/$MY_USERNAME/README - echo '==========' >> /home/$MY_USERNAME/README - echo $"SIP onion_domain: $SIP_ONION_HOSTNAME" >> /home/$MY_USERNAME/README - echo $"SIP server username: $MY_USERNAME" >> /home/$MY_USERNAME/README - echo $"SIP server extension: 201" >> /home/$MY_USERNAME/README - echo $"SIP server password: $SIP_SERVER_PASSWORD" >> /home/$MY_USERNAME/README - chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README - chmod 600 /home/$MY_USERNAME/README - fi - - echo 'install_sip' >> $COMPLETION_FILE -} - -function install_sip_turn { - if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then - return - fi - if grep -Fxq "install_sip_turn" $COMPLETION_FILE; then - return - fi - - apt-get -y install turnserver - - # create a nonce if needed - if [ ! $VOIP_TURN_NONCE ]; then - VOIP_TURN_NONCE="$(openssl rand -base64 32 | cut -c1-30)" - fi - - create_site_certificate $DEFAULT_DOMAIN_NAME - - echo '##' > /etc/turnserver/turnserver.conf - echo '# TurnServer configuration file.' >> /etc/turnserver/turnserver.conf - echo '#' >> /etc/turnserver/turnserver.conf - echo '' >> /etc/turnserver/turnserver.conf - echo '## Public IPv4 address of any relayed address (if not set, no relay for IPv4).' >> /etc/turnserver/turnserver.conf - echo '## To have multiple address, separate addresses with a comma' >> /etc/turnserver/turnserver.conf - echo '## (i.e. listen_address = { "172.16.0.1", "172.17.0.1" }).' >> /etc/turnserver/turnserver.conf - echo "listen_address = { \"192.168.0.1\" }" >> /etc/turnserver/turnserver.conf - echo '' >> /etc/turnserver/turnserver.conf - echo '## Public IPv6 address of any relayed address (if not set, no relay for IPv6).' >> /etc/turnserver/turnserver.conf - echo '## To have multiple address, separate address with a comma' >> /etc/turnserver/turnserver.conf - echo '## (i.e. listen_addressv6 = { "2001:db8:1::1", "2001:db8:2::1" }).' >> /etc/turnserver/turnserver.conf - echo "#listen_addressv6 = { \"2001:db8::1\" }" >> /etc/turnserver/turnserver.conf - echo '' >> /etc/turnserver/turnserver.conf - echo '## UDP listening port.' >> /etc/turnserver/turnserver.conf - echo "udp_port = $VOIP_TURN_PORT" >> /etc/turnserver/turnserver.conf - echo '' >> /etc/turnserver/turnserver.conf - echo '## TCP listening port.' >> /etc/turnserver/turnserver.conf - echo "tcp_port = $VOIP_TURN_PORT" >> /etc/turnserver/turnserver.conf - echo '' >> /etc/turnserver/turnserver.conf - echo '## TLS listening port.' >> /etc/turnserver/turnserver.conf - echo "tls_port = $VOIP_TURN_TLS_PORT" >> /etc/turnserver/turnserver.conf - echo '' >> /etc/turnserver/turnserver.conf - echo '## TLS support.' >> /etc/turnserver/turnserver.conf - echo 'tls = true' >> /etc/turnserver/turnserver.conf - echo '' >> /etc/turnserver/turnserver.conf - echo '## DTLS support. It is an experimental feature and is not defined in TURN' >> /etc/turnserver/turnserver.conf - echo '## standard.' >> /etc/turnserver/turnserver.conf - echo 'dtls = false' >> /etc/turnserver/turnserver.conf - echo '' >> /etc/turnserver/turnserver.conf - echo '## Maximum allocation port number.' >> /etc/turnserver/turnserver.conf - echo 'max_port = 65535' >> /etc/turnserver/turnserver.conf - echo '' >> /etc/turnserver/turnserver.conf - echo '## Minimum allocation port number.' >> /etc/turnserver/turnserver.conf - echo '' >> /etc/turnserver/turnserver.conf - echo 'min_port = 49152' >> /etc/turnserver/turnserver.conf - echo '' >> /etc/turnserver/turnserver.conf - echo '## TURN-TCP support.' >> /etc/turnserver/turnserver.conf - echo '' >> /etc/turnserver/turnserver.conf - echo 'turn_tcp = true' >> /etc/turnserver/turnserver.conf - echo '' >> /etc/turnserver/turnserver.conf - echo '## TURN-TCP buffering mode:' >> /etc/turnserver/turnserver.conf - echo '## - true, use userspace buffering;' >> /etc/turnserver/turnserver.conf - echo '## - false, use kernel buffering.' >> /etc/turnserver/turnserver.conf - echo 'tcp_buffer_userspace = true' >> /etc/turnserver/turnserver.conf - echo '' >> /etc/turnserver/turnserver.conf - echo '## TURN-TCP maximum buffer size.' >> /etc/turnserver/turnserver.conf - echo 'tcp_buffer_size = 32768' >> /etc/turnserver/turnserver.conf - echo '' >> /etc/turnserver/turnserver.conf - echo '## Daemon mode.' >> /etc/turnserver/turnserver.conf - echo 'daemon = true' >> /etc/turnserver/turnserver.conf - echo '' >> /etc/turnserver/turnserver.conf - echo '## Unprivileged user.' >> /etc/turnserver/turnserver.conf - echo '## If you want to use this feature create a system user.' >> /etc/turnserver/turnserver.conf - echo '## On Linux: adduser --system --group turnserver' >> /etc/turnserver/turnserver.conf - echo 'unpriv_user = turnserver' >> /etc/turnserver/turnserver.conf - echo '' >> /etc/turnserver/turnserver.conf - echo '## Realm value.' >> /etc/turnserver/turnserver.conf - echo "realm = \"$DEFAULT_DOMAIN_NAME\"" >> /etc/turnserver/turnserver.conf - echo '' >> /etc/turnserver/turnserver.conf - echo '## Nonce key.' >> /etc/turnserver/turnserver.conf - echo "nonce_key = \"$VOIP_TURN_NONCE\"" >> /etc/turnserver/turnserver.conf - echo '' >> /etc/turnserver/turnserver.conf - echo '## Max relay per username.' >> /etc/turnserver/turnserver.conf - echo 'max_relay_per_username = 5' >> /etc/turnserver/turnserver.conf - echo '' >> /etc/turnserver/turnserver.conf - echo '## Allocation lifetime.' >> /etc/turnserver/turnserver.conf - echo 'allocation_lifetime = 1800' >> /etc/turnserver/turnserver.conf - echo '' >> /etc/turnserver/turnserver.conf - echo '## Allocation bandwidth limitation (in KBytes/s).' >> /etc/turnserver/turnserver.conf - echo '## 0 value means bandwidth quota disabled.' >> /etc/turnserver/turnserver.conf - echo 'bandwidth_per_allocation = 150' >> /etc/turnserver/turnserver.conf - echo '' >> /etc/turnserver/turnserver.conf - echo '## Restricted user bandwidth (in KBytes/s).' >> /etc/turnserver/turnserver.conf - echo '## 0 value means bandwidth limitation disabled.' >> /etc/turnserver/turnserver.conf - echo 'restricted_bandwidth = 10' >> /etc/turnserver/turnserver.conf - echo '' >> /etc/turnserver/turnserver.conf - echo '## Denied addresses.' >> /etc/turnserver/turnserver.conf - echo '' >> /etc/turnserver/turnserver.conf - echo '# disallow relaying to localhost' >> /etc/turnserver/turnserver.conf - echo 'denied_address {' >> /etc/turnserver/turnserver.conf - echo ' address = "127.0.0.1"' >> /etc/turnserver/turnserver.conf - echo ' mask = "8"' >> /etc/turnserver/turnserver.conf - echo ' port = 0' >> /etc/turnserver/turnserver.conf - echo '}' >> /etc/turnserver/turnserver.conf - echo '' >> /etc/turnserver/turnserver.conf - echo '# disallow relaying to ip6-localhost' >> /etc/turnserver/turnserver.conf - echo 'denied_address {' >> /etc/turnserver/turnserver.conf - echo ' address = "::1"' >> /etc/turnserver/turnserver.conf - echo ' mask = "128"' >> /etc/turnserver/turnserver.conf - echo ' port = 0' >> /etc/turnserver/turnserver.conf - echo '}' >> /etc/turnserver/turnserver.conf - echo '' >> /etc/turnserver/turnserver.conf - echo '## Certification Authority file.' >> /etc/turnserver/turnserver.conf - echo "ca_file = \"/etc/ssl/certs/ca-certificates.crt\"" >> /etc/turnserver/turnserver.conf - echo '' >> /etc/turnserver/turnserver.conf - echo '## Server certificate file.' >> /etc/turnserver/turnserver.conf - if [ -f /etc/ssl/certs/$DEFAULT_DOMAIN_NAME.pem ]; then - echo "cert_file = \"/etc/ssl/certs/$DEFAULT_DOMAIN_NAME.pem\"" >> /etc/turnserver/turnserver.conf - else - if [ -f /etc/ssl/certs/$DEFAULT_DOMAIN_NAME.crt ]; then - echo "cert_file = \"/etc/ssl/certs/$DEFAULT_DOMAIN_NAME.crt\"" >> /etc/turnserver/turnserver.conf - fi - fi - echo '' >> /etc/turnserver/turnserver.conf - echo '## Private key file.' >> /etc/turnserver/turnserver.conf - echo "private_key_file = \"/etc/ssl/certs/$DEFAULT_DOMAIN_NAME.key\"" >> /etc/turnserver/turnserver.conf - echo '' >> /etc/turnserver/turnserver.conf - echo '## Account method.' >> /etc/turnserver/turnserver.conf - echo "account_method = \"file\"" >> /etc/turnserver/turnserver.conf - echo '' >> /etc/turnserver/turnserver.conf - echo '## Account file (if account_method = file).' >> /etc/turnserver/turnserver.conf - echo "account_file = \"/etc/turnserver/turnusers.txt\"" >> /etc/turnserver/turnserver.conf - echo '' >> /etc/turnserver/turnserver.conf - echo '## mod_tmpuser.' >> /etc/turnserver/turnserver.conf - echo 'mod_tmpuser = false' >> /etc/turnserver/turnserver.conf - - echo "${MY_USERNAME}:password:${DEFAULT_DOMAIN_NAME}:authorized" > /etc/turnserver/turnusers.txt - - systemctl restart turnserver - - echo 'install_sip_turn' >> $COMPLETION_FILE -} - -function install_final { - if grep -Fxq "install_final" $COMPLETION_FILE; then - return - fi - # unmount any attached usb drive - if [ -d $USB_MOUNT ]; then - umount $USB_MOUNT - rm -rf $USB_MOUNT - fi - split_gpg_key_into_fragments - echo 'install_final' >> $COMPLETION_FILE - clear - echo '' - echo $" - *** ${PROJECT_NAME} installation is complete. Rebooting... *** - - Now forward these ports from your internet router - - HTTP 80 - HTTPS 443 - SSH 2222 - DLNA 1900 - DLNA 8200 - XMPP 5222-5223 - XMPP 5269 - XMPP 5280-5281 - IRC 6697 - Git 9418 - Email 25 - Email 587 - Email 465 - Email 993 - VoIP 64738 - VoIP 5060 - Tox 33445 - " - if [ -f "/home/$MY_USERNAME/README" ]; then - echo $"See /home/$MY_USERNAME/README for post-installation instructions." - echo '' - fi - # add user menu on ssh login - if ! grep -q 'control' /home/$MY_USERNAME/.bashrc; then - echo 'control' >> /home/$MY_USERNAME/.bashrc - fi - if [ ! -f $IMAGE_PASSWORD_FILE ]; then - reboot - fi -} - - -read_configuration -set_default_onion_domains -locale_setup -parse_args -check_domains -install_not_on_BBB -remove_default_user -configure_firewall -configure_firewall_ping -configure_firewall_for_ssh -configure_firewall_for_dns -configure_firewall_for_ftp -configure_firewall_for_web_access -configure_firewall_for_voip -configure_firewall_for_voip_turn -configure_firewall_for_sip4 -configure_firewall_for_avahi -configure_firewall_for_zeronet -configure_firewall_for_ipfs -create_repo_sources -configure_dns -initial_setup -install_tor -#resolve_dns_via_tor -install_command_line_browser -enable_ssh_via_onion -check_date -install_dynamicdns -randomize_cron -create_freedns_updater -mark_admin_user_account -enforce_good_passwords -install_editor -change_login_message -enable_zram -random_number_generator -set_your_domain_name -time_synchronisation_tlsdate -configure_internet_protocol -create_git_project -setup_wifi -configure_ssh -configure_ssh_onion -allow_ssh_to_onion_address -remove_instructions_from_motd -check_hwrng -search_for_attached_usb_drive -regenerate_ssh_keys -create_mirrors -create_upgrade_script -letsencrypt_renewals -install_zeronet -install_watchdog_script -configure_avahi -create_avahi_onion_domains -install_zeronet_blog -install_zeronet_mail -install_zeronet_forum -#install_atheros_wifi -configure_firewall_for_cjdns -mesh_cjdns -mesh_cjdns_tools -configure_firewall_for_batman -mesh_batman -configure_firewall_for_babel -mesh_babel -route_outgoing_traffic_through_tor -configure_email -create_procmail -handle_admin_emails -spam_filtering -configure_imap -#configure_imap_client_certs -configure_gpg -refresh_gpg_keys -configure_backup_key -install_monkeysphere -encrypt_incoming_email -encrypt_outgoing_email -email_client -email_archiving -email_from_address -configure_firewall_for_email -create_public_mailing_list -#create_private_mailing_list -encrypt_all_email -import_email +setup_system +setup_mesh +setup_email +setup_web script_for_attaching_usb_drive -install_web_server -install_web_server_access_control -configure_firewall_for_web_server -configure_firewall_for_syncthing -install_syncthing -upgrade_golang -install_gogs -install_xmpp -install_xmpp_client -install_tox_node -install_tox_client -tox_avahi -configure_firewall_for_xmpp -install_irc_server -configure_firewall_for_irc -install_irc_client -install_voip -install_sip -update_sipwitch_daemon -install_wiki -install_sip_turn -install_blog -mark_blog_domain -install_gnu_social -expire_gnu_social_posts -install_gnu_social_theme -install_gnu_social_markdown -install_gnu_social_plugin_sharings -install_gnu_social_plugin_sharings_theme -install_rss_reader -install_rss_reader_gnusocial -install_rss_mobile_reader -install_hubzilla -#install_webmail -#install_search_engine -install_dlna_server -configure_firewall_for_dlna -#install_media_server -#install_mediagoblin -#install_ipfs -repair_databases_script -backup_to_friends_servers -intrusion_detection -install_final +setup_apps +setup_final + echo "${PROJECT_NAME} installation is complete" exit 0 diff --git a/src/freedombone-app-babel b/src/freedombone-app-babel new file mode 100755 index 00000000..9b86c23a --- /dev/null +++ b/src/freedombone-app-babel @@ -0,0 +1,54 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# Babel mesh functions +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# Babel mesh +ENABLE_BABEL="no" +BABEL_PORT=6696 + +function mesh_babel { + if grep -Fxq "mesh_babel" $COMPLETION_FILE; then + return + fi + if [[ $ENABLE_BABEL != "yes" ]]; then + return + fi + + ${PROJECT_NAME}-mesh-install -f babel + if [ ! "$?" = "0" ]; then + echo $'Failed to install babel' + exit 67242 + fi + + function_check configure_firewall_for_babel + configure_firewall_for_babel + echo 'mesh_babel' >> $COMPLETION_FILE +} + +# NOTE: deliberately there is no "exit 0" diff --git a/src/freedombone-app-batman b/src/freedombone-app-batman new file mode 100755 index 00000000..39bb4f06 --- /dev/null +++ b/src/freedombone-app-batman @@ -0,0 +1,66 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# batman adv mesh functions +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# B.A.T.M.A.N settings +ENABLE_BATMAN="no" +BATMAN_CELLID='any' + +function mesh_batman { + if grep -Fxq "mesh_batman" $COMPLETION_FILE; then + return + fi + if [[ $ENABLE_BATMAN != "yes" ]]; then + return + fi + + ${PROJECT_NAME}-mesh-install -f batman + if [ ! "$?" = "0" ]; then + echo $'Failed to install batman' + exit 72524 + fi + + if ! grep -q "Mesh Networking (B.A.T.M.A.N)" /home/$MY_USERNAME/README; then + echo '' >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + echo 'Mesh Networking (B.A.T.M.A.N)' >> /home/$MY_USERNAME/README + echo '=============================' >> /home/$MY_USERNAME/README + echo "Mesh ESSID: $WIFI_SSID" >> /home/$MY_USERNAME/README + echo "Mesh cell ID: $BATMAN_CELLID" >> /home/$MY_USERNAME/README + echo "Mesh wifi channel: $WIFI_CHANNEL" >> /home/$MY_USERNAME/README + chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README + chmod 600 /home/$MY_USERNAME/README + fi + + function_check configure_firewall_for_batman + configure_firewall_for_batman + echo 'mesh_batman' >> $COMPLETION_FILE +} + +# NOTE: deliberately no exit 0 diff --git a/src/freedombone-app-blog b/src/freedombone-app-blog new file mode 100755 index 00000000..b6f65ef2 --- /dev/null +++ b/src/freedombone-app-blog @@ -0,0 +1,343 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# Blog functions +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +FULLBLOG_DOMAIN_NAME= +FULLBLOG_CODE= +FULLBLOG_ONION_PORT=8086 +FULLBLOG_REPO="https://github.com/danpros/htmly" +FULLBLOG_COMMIT='bf5fe9486160be4da86d8987d3e5c977e1dc6d32' +MY_BLOG_TITLE="My Blog" +MY_BLOG_SUBTITLE="Another ${PROJECT_NAME} Blog" + +function mark_blog_domain { + if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + if ! grep -q "Blog domain:" $COMPLETION_FILE; then + echo "Blog domain:$FULLBLOG_DOMAIN_NAME" >> $COMPLETION_FILE + fi +} + +function get_blog_admin_password { + if [ -f /home/$MY_USERNAME/README ]; then + if grep -q "Your blog password is" /home/$MY_USERNAME/README; then + FULLBLOG_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "Your blog password is" | awk -F ':' '{print $2}' | sed 's/^ *//') + fi + fi +} + +function install_blog { + if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + if [ ! $FULLBLOG_DOMAIN_NAME ]; then + echo $'The blog domain name was not specified' + exit 5062 + fi + + # update to the next commit + function_check set_repo_commit + set_repo_commit /var/www/$FULLBLOG_DOMAIN_NAME/htdocs "Blog commit" "$FULLBLOG_COMMIT" $FULLBLOG_REPO + + if grep -Fxq "install_blog" $COMPLETION_FILE; then + return + fi + + # for the avatar changing command + apt-get -y install imagemagick + + if [ ! -d /var/www/$FULLBLOG_DOMAIN_NAME ]; then + mkdir /var/www/$FULLBLOG_DOMAIN_NAME + fi + + cd /var/www/$FULLBLOG_DOMAIN_NAME + git_clone $FULLBLOG_REPO htdocs + cd htdocs + git checkout $FULLBLOG_COMMIT -b $FULLBLOG_COMMIT + if ! grep -q "Blog commit" $COMPLETION_FILE; then + echo "Blog commit:$FULLBLOG_COMMIT" >> $COMPLETION_FILE + else + sed -i "s/Blog commit.*/Blog commit:$FULLBLOG_COMMIT/g" $COMPLETION_FILE + fi + cd /var/www/$FULLBLOG_DOMAIN_NAME + + chown -R www-data:www-data /var/www/$FULLBLOG_DOMAIN_NAME/htdocs + + if [[ $ONION_ONLY == "no" ]]; then + function_check nginx_http_redirect + nginx_http_redirect $FULLBLOG_DOMAIN_NAME + echo 'server {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' listen 443 ssl;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo " root /var/www/$FULLBLOG_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo " server_name $FULLBLOG_DOMAIN_NAME;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' access_log off;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo " error_log /var/log/nginx/${FULLBLOG_DOMAIN_NAME}_error_ssl.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' index index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' charset utf-8;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' proxy_read_timeout 86400s;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + function_check nginx_limits + nginx_limits $FULLBLOG_DOMAIN_NAME + function_check nginx_ssl + nginx_ssl $FULLBLOG_DOMAIN_NAME + function_check nginx_disable_sniffing + nginx_disable_sniffing $FULLBLOG_DOMAIN_NAME + echo ' add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' location / {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo " # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' allow all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' # statically serve these file types when possible' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' # otherwise fall back to front controller' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' # allow browser to cache them' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' expires 30d;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' # block these file types' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' # or a unix socket' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' location ~* \.php$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' # Zero-day exploit defense.' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo " # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo " # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo " # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo " # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' # With php5-cgi alone:' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' # With php5-fpm:' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' include fastcgi_params;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' fastcgi_index index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' # deny access to all dot files' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' location ~ /\. {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' #deny access to store' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' location ~ /store {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' location ~ /(data|conf|bin|inc)/ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' location ~ /\.ht {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo '}' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + else + echo -n '' > /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + fi + echo 'server {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo " listen 127.0.0.1:${FULLBLOG_ONION_PORT} default_server;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo " root /var/www/$FULLBLOG_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo " server_name $FULLBLOG_DOMAIN_NAME;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' access_log off;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo " error_log /var/log/nginx/${FULLBLOG_DOMAIN_NAME}_error_ssl.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' index index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' charset utf-8;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' proxy_read_timeout 86400s;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + function_check nginx_limits + nginx_limits $FULLBLOG_DOMAIN_NAME + function_check nginx_disable_sniffing + nginx_disable_sniffing $FULLBLOG_DOMAIN_NAME + echo ' add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' location / {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo " # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' allow all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' # statically serve these file types when possible' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' # otherwise fall back to front controller' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' # allow browser to cache them' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' expires 30d;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' # block these file types' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' # or a unix socket' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' location ~* \.php$ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' # Zero-day exploit defense.' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo " # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo " # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo " # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo " # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' # With php5-cgi alone:' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' # With php5-fpm:' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' include fastcgi_params;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' fastcgi_index index.php;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' # deny access to all dot files' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' location ~ /\. {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' #deny access to store' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' location ~ /store {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' location ~ /(data|conf|bin|inc)/ {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' location ~ /\.ht {' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' deny all;' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + echo '}' >> /etc/nginx/sites-available/$FULLBLOG_DOMAIN_NAME + + function_check create_site_certificate + create_site_certificate $FULLBLOG_DOMAIN_NAME 'yes' + + function_check configure_php + configure_php + + # blog settings + cp /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini.example /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini + sed -i "s|site.url.*|site.url = '/'|g" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini + sed -i "s|blog.title.*|blog.title = '$MY_BLOG_TITLE'|g" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini + sed -i "s|blog.tagline.*|blog.tagline = '$MY_BLOG_SUBTITLE'|g" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini + sed -i 's|timezone.*|timezone = "Europe/London"|g' /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini + sed -i "s|Your name|$MY_NAME|g" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini + + # set social networks + if grep -q "social.hubzilla" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini; then + sed -i "s|;social.hubzilla|social.hubzilla|g" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini + sed -i "s|social.hubzilla.*|social.hubzilla = \"$HUBZILLA_DOMAIN_NAME\"|g" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini + fi + if grep -q "social.gnusocial" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini; then + sed -i "s|;social.gnusocial|social.gnusocial|g" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini + sed -i "s|social.gnusocial.*|social.gnusocial = \"$MICROBLOG_DOMAIN_NAME\"|g" /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini + fi + + # clear proprietary social network strings + sed -i 's|social.facebook.*|social.facebook = ""|g' /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini + sed -i 's|social.twitter.*|social.twitter = ""|g' /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini + sed -i 's|social.google.*|social.google = ""|g' /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/config.ini + + # create a user password + function_check get_blog_admin_password + get_blog_admin_password + if [ ! $FULLBLOG_ADMIN_PASSWORD ]; then + if [ -f $IMAGE_PASSWORD_FILE ]; then + FULLBLOG_ADMIN_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)" + else + FULLBLOG_ADMIN_PASSWORD="$(create_password ${MINIMUM_PASSWORD_LENGTH})" + fi + echo '' >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + echo $'HTMLy Blog' >> /home/$MY_USERNAME/README + echo '==========' >> /home/$MY_USERNAME/README + echo $"Your blog username: $MY_USERNAME" >> /home/$MY_USERNAME/README + echo $"Your blog password is: $FULLBLOG_ADMIN_PASSWORD" >> /home/$MY_USERNAME/README + if [[ $ONION_ONLY == 'no' ]]; then + echo $"Log into your blog at https://$FULLBLOG_DOMAIN_NAME/login" >> /home/$MY_USERNAME/README + fi + chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README + chmod 600 /home/$MY_USERNAME/README + fi + + # create a user + FULLBLOG_ADMIN_PASSWORD_HASH=$(freedombone-sec --bloghash "$FULLBLOG_ADMIN_PASSWORD") + if [ ${#FULLBLOG_ADMIN_PASSWORD_HASH} -lt 8 ]; then + echo $'Blog admin password could not be hashed' + exit 625728 + fi + echo ';Password' > /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini + echo "password = $FULLBLOG_ADMIN_PASSWORD_HASH" >> /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini + echo 'encryption = password_hash' >> /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini + echo ';Role' >> /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini + echo 'role = admin' >> /var/www/$FULLBLOG_DOMAIN_NAME/htdocs/config/users/$MY_USERNAME.ini + + function_check nginx_ensite + nginx_ensite $FULLBLOG_DOMAIN_NAME + + FULLBLOG_ONION_HOSTNAME=$(add_onion_service blog 80 ${FULLBLOG_ONION_PORT}) + + systemctl restart php5-fpm + systemctl restart nginx + + if ! grep -q "Blog onion domain" /home/$MY_USERNAME/README; then + echo $"Blog onion domain: ${FULLBLOG_ONION_HOSTNAME}" >> /home/$MY_USERNAME/README + echo $"Log into your blog at https://${FULLBLOG_ONION_HOSTNAME}/login" >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README + chmod 600 /home/$MY_USERNAME/README + fi + echo "Blog onion domain:${FULLBLOG_ONION_HOSTNAME}" >> $COMPLETION_FILE + + function_check add_ddns_domain + add_ddns_domain $FULLBLOG_DOMAIN_NAME + + echo 'install_blog' >> $COMPLETION_FILE +} + +# NOTE: deliberately no exit 0 diff --git a/src/freedombone-app-cjdns b/src/freedombone-app-cjdns new file mode 100755 index 00000000..a4111e0b --- /dev/null +++ b/src/freedombone-app-cjdns @@ -0,0 +1,447 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# cjdns functions +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# cjdns settings +ENABLE_CJDNS="no" +CJDNS_PRIVATE_KEY= +CJDNS_PUBLIC_KEY= +CJDNS_IPV6= +CJDNS_PASSWORD= +CJDNS_PORT= +CJDNS_REPO="https://github.com/cjdelisle/cjdns.git" +CJDNS_COMMIT='13189fde111d0500427a7a0ce06a970753527bca' +CJDCMD_REPO="https://github.com/inhies/cjdcmd" +CJDCMD_COMMIT='973cca6ed0eecf9041c3403a40193c0b1291b808' + +function get_cjdns_public_key { + if [ -f /home/$MY_USERNAME/README ]; then + if grep -q "cjdns public key" /home/$MY_USERNAME/README; then + if [ ! $CJDNS_PUBLIC_KEY ]; then + CJDNS_PUBLIC_KEY=$(cat /home/$MY_USERNAME/README | grep "cjdns public key" | awk -F ':' '{print $2}' | sed 's/^ *//') + fi + fi + fi +} + +function get_cjdns_private_key { + if [ -f /home/$MY_USERNAME/README ]; then + if grep -q "cjdns private key" /home/$MY_USERNAME/README; then + if [ ! $CJDNS_PRIVATE_KEY ]; then + CJDNS_PRIVATE_KEY=$(cat /home/$MY_USERNAME/README | grep "cjdns private key" | awk -F ':' '{print $2}' | sed 's/^ *//') + fi + fi + fi +} + +function get_cjdns_ipv6_address { + if [ -f /home/$MY_USERNAME/README ]; then + if grep -q "cjdns IPv6 address" /home/$MY_USERNAME/README; then + if [ ! $CJDNS_IPV6 ]; then + CJDNS_IPV6=$(cat /home/$MY_USERNAME/README | grep "cjdns IPv6 address" | awk -F ':' '{print $2}' | sed 's/^ *//') + fi + fi + fi +} + +function get_cjdns_port { + if [ -f /home/$MY_USERNAME/README ]; then + if grep -q "cjdns port" /home/$MY_USERNAME/README; then + if [ ! $CJDNS_PORT ]; then + CJDNS_PORT=$(cat /home/$MY_USERNAME/README | grep "cjdns port" | awk -F ':' '{print $2}' | sed 's/^ *//') + fi + fi + fi +} + +function get_cjdns_password { + if [ -f /home/$MY_USERNAME/README ]; then + if grep -q "cjdns password" /home/$MY_USERNAME/README; then + if [ ! $CJDNS_PASSWORD ]; then + CJDNS_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "cjdns password" | awk -F ':' '{print $2}' | sed 's/^ *//') + fi + fi + fi +} + +function mesh_cjdns { + if [[ $ENABLE_CJDNS != "yes" ]]; then + return + fi + + # update to the next commit + function_check set_repo_commit + set_repo_commit /etc/cjdns "cjdns commit" "$CJDNS_COMMIT" $CJDNS_REPO + + if grep -Fxq "mesh_cjdns" $COMPLETION_FILE; then + return + fi + + apt-get -y install nodejs git build-essential nmap + + # if a README exists then obtain the cjdns parameters + function_check get_cjdns_ipv6_address + get_cjdns_ipv6_address + + function_check get_cjdns_public_key + get_cjdns_public_key + + function_check get_cjdns_private_key + get_cjdns_private_key + + function_check get_cjdns_port + get_cjdns_port + + function_check get_cjdns_password + get_cjdns_password + + # special compile settings for running ./do on the Beaglebone Black + if [[ $INSTALLING_ON_BBB == "yes" ]]; then + CFLAGS="-O2 -march=armv7-a -mtune=cortex-a8 -mfpu=neon -ftree-vectorize -ffast-math -mfloat-abi=hard -marm -Wno-error=maybe-uninitialized" + export LDFLAGS="$CFLAGS" + fi + + if [ ! -d /etc/cjdns ]; then + function_check git_pull + git_clone $CJDNS_REPO /etc/cjdns + cd /etc/cjdns + + git checkout $CJDNS_COMMIT -b $CJDNS_COMMIT + if ! grep -q "cjdns commit" $COMPLETION_FILE; then + echo "cjdns commit:$CJDNS_COMMIT" >> $COMPLETION_FILE + else + sed -i "s/cjdns commit.*/cjdns commit:$CJDNS_COMMIT/g" $COMPLETION_FILE + fi + + ./do + if [ ! "$?" = "0" ]; then + exit 7439 + fi + # create a configuration + if [ ! -f /etc/cjdns/cjdroute.conf ]; then + ./cjdroute --genconf > /etc/cjdns/cjdroute.conf + if [ ! "$?" = "0" ]; then + exit 5922 + fi + fi + # create a user to run as + useradd cjdns + else + cd /etc/cjdns + function_check git_pull + git_pull $CJDNS_REPO + ./do + if [ ! "$?" = "0" ]; then + exit 9926 + fi + fi + + # set permissions + chown -R cjdns:cjdns /etc/cjdns + chmod 600 /etc/cjdns/cjdroute.conf + + /sbin/ip tuntap add mode tun user cjdns dev cjdroute0 + + # insert values into the configuration file + if [ $CJDNS_PRIVATE_KEY ]; then + sed -i "s/\"privateKey\":.*/\"privateKey\": \"$CJDNS_PRIVATE_KEY\",/g" /etc/cjdns/cjdroute.conf + else + CJDNS_PRIVATE_KEY=$(cat /etc/cjdns/cjdroute.conf | grep '"privateKey"' | awk -F '"' '{print $4}' | sed -n 1p) + fi + if [ $CJDNS_PUBLIC_KEY ]; then + sed -i "s/\"publicKey\":.*/\"publicKey\": \"$CJDNS_PUBLIC_KEY\",/g" /etc/cjdns/cjdroute.conf + else + CJDNS_PUBLIC_KEY=$(cat /etc/cjdns/cjdroute.conf | grep '"publicKey"' | awk -F '"' '{print $4}' | sed -n 1p) + fi + if [ $CJDNS_IPV6 ]; then + sed -i "s/\"ipv6\":.*/\"ipv6\": \"$CJDNS_IPV6\",/g" /etc/cjdns/cjdroute.conf + else + CJDNS_IPV6=$(cat /etc/cjdns/cjdroute.conf | grep '"ipv6"' | awk -F '"' '{print $4}' | sed -n 1p) + fi + if [ $CJDNS_PASSWORD ]; then + sed -i "0,/{\"password\":.*/s//{\"password\": \"$CJDNS_PASSWORD\"}/g" /etc/cjdns/cjdroute.conf + else + CJDNS_PASSWORD=$(cat /etc/cjdns/cjdroute.conf | grep '"password"' | awk -F '"' '{print $4}' | sed -n 1p) + fi + if [ $CJDNS_PORT ]; then + sed -i "s/\"bind\": \"0.0.0.0:.*/\"bind\": \"0.0.0.0:$CJDNS_PORT\",/g" /etc/cjdns/cjdroute.conf + else + CJDNS_PORT=$(cat /etc/cjdns/cjdroute.conf | grep '"bind": "0.0.0.0:' | awk -F '"' '{print $4}' | awk -F ':' '{print $2}' | sed -n 1p) + fi + + function_check enable_ipv6 + enable_ipv6 + + echo '#!/bin/sh -e' > /etc/init.d/cjdns + echo '### BEGIN INIT INFO' >> /etc/init.d/cjdns + echo '# hyperboria.sh - An init script (/etc/init.d/) for cjdns' >> /etc/init.d/cjdns + echo '# Provides: cjdroute' >> /etc/init.d/cjdns + echo '# Required-Start: $remote_fs $network' >> /etc/init.d/cjdns + echo '# Required-Stop: $remote_fs $network' >> /etc/init.d/cjdns + echo '# Default-Start: 2 3 4 5' >> /etc/init.d/cjdns + echo '# Default-Stop: 0 1 6' >> /etc/init.d/cjdns + echo '# Short-Description: Cjdns router' >> /etc/init.d/cjdns + echo '# Description: A routing engine designed for security, scalability, speed and ease of use.' >> /etc/init.d/cjdns + echo '# cjdns git repo: https://github.com/cjdelisle/cjdns/' >> /etc/init.d/cjdns + echo '### END INIT INFO' >> /etc/init.d/cjdns + echo '' >> /etc/init.d/cjdns + echo 'PROG="cjdroute"' >> /etc/init.d/cjdns + echo 'GIT_PATH="/etc/cjdns"' >> /etc/init.d/cjdns + echo 'PROG_PATH="/etc/cjdns"' >> /etc/init.d/cjdns + echo 'CJDNS_CONFIG="cjdroute.conf"' >> /etc/init.d/cjdns + echo 'CJDNS_USER="cjdns"' >> /etc/init.d/cjdns + echo "CJDNS_IP='$CJDNS_IPV6'" >> /etc/init.d/cjdns + echo '' >> /etc/init.d/cjdns + echo 'start() {' >> /etc/init.d/cjdns + echo ' # Start it up with the user cjdns' >> /etc/init.d/cjdns + echo ' if [ $(pgrep cjdroute | wc -l) != 0 ];' >> /etc/init.d/cjdns + echo ' then' >> /etc/init.d/cjdns + echo ' echo "cjdroute is already running. Doing nothing..."' >> /etc/init.d/cjdns + echo ' else' >> /etc/init.d/cjdns + echo ' echo " * Starting cjdroute"' >> /etc/init.d/cjdns + echo ' su -c "$PROG_PATH/$PROG < $PROG_PATH/$CJDNS_CONFIG" - $CJDNS_USER' >> /etc/init.d/cjdns + echo ' /sbin/ip addr add $CJDNS_IP/8 dev tun0' >> /etc/init.d/cjdns + echo ' /sbin/ip link set mtu 1312 dev tun0' >> /etc/init.d/cjdns + echo ' /sbin/ip link set tun0 up' >> /etc/init.d/cjdns + echo ' /sbin/ip tuntap add mode tun user cjdns dev tun0' >> /etc/init.d/cjdns + echo ' fi' >> /etc/init.d/cjdns + echo '}' >> /etc/init.d/cjdns + echo '' >> /etc/init.d/cjdns + echo 'stop() {' >> /etc/init.d/cjdns + echo '' >> /etc/init.d/cjdns + echo ' if [ $(pgrep cjdroute | wc -l) != 2 ];' >> /etc/init.d/cjdns + echo ' then' >> /etc/init.d/cjdns + echo ' echo "cjdns isnt running."' >> /etc/init.d/cjdns + echo ' else' >> /etc/init.d/cjdns + echo ' echo "Killing cjdroute"' >> /etc/init.d/cjdns + echo ' killall cjdroute' >> /etc/init.d/cjdns + echo ' fi' >> /etc/init.d/cjdns + echo '}' >> /etc/init.d/cjdns + echo '' >> /etc/init.d/cjdns + echo 'status() {' >> /etc/init.d/cjdns + echo ' if [ $(pgrep cjdroute | wc -l) != 0 ];' >> /etc/init.d/cjdns + echo ' then' >> /etc/init.d/cjdns + echo ' echo "Cjdns is running"' >> /etc/init.d/cjdns + echo ' else' >> /etc/init.d/cjdns + echo ' echo "Cjdns is not running"' >> /etc/init.d/cjdns + echo ' fi' >> /etc/init.d/cjdns + echo '}' >> /etc/init.d/cjdns + echo '' >> /etc/init.d/cjdns + echo ' update() {' >> /etc/init.d/cjdns + echo ' cd $GIT_PATH' >> /etc/init.d/cjdns + echo ' echo "Updating..."' >> /etc/init.d/cjdns + echo ' git pull' >> /etc/init.d/cjdns + echo ' ./do' >> /etc/init.d/cjdns + echo '}' >> /etc/init.d/cjdns + echo '' >> /etc/init.d/cjdns + echo '## Check to see if we are running as root first.' >> /etc/init.d/cjdns + echo 'if [ "$(id -u)" != "0" ]; then' >> /etc/init.d/cjdns + echo ' echo "This script must be run as root" 1>&2' >> /etc/init.d/cjdns + echo ' exit 1' >> /etc/init.d/cjdns + echo 'fi' >> /etc/init.d/cjdns + echo '' >> /etc/init.d/cjdns + echo 'case $1 in' >> /etc/init.d/cjdns + echo ' start)' >> /etc/init.d/cjdns + echo ' start' >> /etc/init.d/cjdns + echo ' exit 0' >> /etc/init.d/cjdns + echo ' ;;' >> /etc/init.d/cjdns + echo ' stop)' >> /etc/init.d/cjdns + echo ' stop' >> /etc/init.d/cjdns + echo ' exit 0' >> /etc/init.d/cjdns + echo ' ;;' >> /etc/init.d/cjdns + echo ' reload|restart|force-reload)' >> /etc/init.d/cjdns + echo ' stop' >> /etc/init.d/cjdns + echo ' sleep 1' >> /etc/init.d/cjdns + echo ' start' >> /etc/init.d/cjdns + echo ' exit 0' >> /etc/init.d/cjdns + echo ' ;;' >> /etc/init.d/cjdns + echo ' status)' >> /etc/init.d/cjdns + echo ' status' >> /etc/init.d/cjdns + echo ' exit 0' >> /etc/init.d/cjdns + echo ' ;;' >> /etc/init.d/cjdns + echo ' update|upgrade)' >> /etc/init.d/cjdns + echo ' update' >> /etc/init.d/cjdns + echo ' stop' >> /etc/init.d/cjdns + echo ' sleep 2' >> /etc/init.d/cjdns + echo ' start' >> /etc/init.d/cjdns + echo ' exit 0' >> /etc/init.d/cjdns + echo ' ;;' >> /etc/init.d/cjdns + echo ' **)' >> /etc/init.d/cjdns + echo ' echo "Usage: $0 (start|stop|restart|status|update)" 1>&2' >> /etc/init.d/cjdns + echo ' exit 1' >> /etc/init.d/cjdns + echo ' ;;' >> /etc/init.d/cjdns + echo 'esac' >> /etc/init.d/cjdns + chmod +x /etc/init.d/cjdns + update-rc.d cjdns defaults + service cjdns start + if [ ! "$?" = "0" ]; then + systemctl status cjdns.service + exit 8260 + fi + + apt-get -y install radvd + echo 'interface eth0' > /etc/radvd.conf + echo '{' >> /etc/radvd.conf + echo ' AdvSendAdvert on;' >> /etc/radvd.conf + echo ' prefix fdfc::1/64' >> /etc/radvd.conf + echo ' {' >> /etc/radvd.conf + echo ' AdvRouterAddr on;' >> /etc/radvd.conf + echo ' };' >> /etc/radvd.conf + echo '};' >> /etc/radvd.conf + systemctl restart radvd + if [ ! "$?" = "0" ]; then + systemctl status radvd.service + exit 4395 + fi + + if ! grep -q "# Mesh Networking (cjdns)" /etc/network/interfaces; then + echo '' >> /etc/network/interfaces + echo '# Mesh Networking (cjdns)' >> /etc/network/interfaces + echo 'iface eth0 inet6 static' >> /etc/network/interfaces + echo ' pre-up modprobe ipv6' >> /etc/network/interfaces + echo ' address fdfc:0000:0000:0000:0000:0000:0000:0001' >> /etc/network/interfaces + echo ' netmask 64' >> /etc/network/interfaces + service network-manager restart + if [ ! "$?" = "0" ]; then + systemctl status networking.service + exit 6949 + fi + fi + + ip6tables -A INPUT -p udp --dport $CJDNS_PORT -j ACCEPT + ip6tables -A INPUT -p tcp --dport $CJDNS_PORT -j ACCEPT + + function_ckeck save_firewall_settings + save_firewall_settings + + if ! grep -q $"Mesh Networking (cjdns)" /home/$MY_USERNAME/README; then + CURRENT_IP_ADDRESS=$(ip addr show | grep "inet " | sed -n 2p | awk -F ' ' '{print $2}' | awk -F '/' '{print $1}') + + echo '' >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + echo $'Mesh Networking (cjdns)' >> /home/$MY_USERNAME/README + echo '=======================' >> /home/$MY_USERNAME/README + echo $"cjdns IPv6 address: $CJDNS_IPV6" >> /home/$MY_USERNAME/README + echo $"cjdns public key: $CJDNS_PUBLIC_KEY" >> /home/$MY_USERNAME/README + echo $"cjdns private key: $CJDNS_PRIVATE_KEY" >> /home/$MY_USERNAME/README + echo $"cjdns password: $CJDNS_PASSWORD" >> /home/$MY_USERNAME/README + echo $"cjdns port: $CJDNS_PORT" >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + echo $"Forward port $CJDNS_PORT from your internet router to the ${PROJECT_NAME}" >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + echo $'Below is an example of your connection credentials' >> /home/$MY_USERNAME/README + echo $'that you can give to other people so they can connect' >> /home/$MY_USERNAME/README + echo $'to you using your default password' >> /home/$MY_USERNAME/README + echo $'Adding a unique password for each user is advisable' >> /home/$MY_USERNAME/README + echo $'so that leaks can be isolated.' >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + echo "\"$CURRENT_IP_ADDRESS:$CJDNS_PORT\":{\"password\":\"$CJDNS_PASSWORD\",\"publicKey\":\"$CJDNS_PUBLIC_KEY\"}" >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + echo $'More is not better. 3-5 cjdns peers is good. 30 peers is bad.' >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + echo $'NEVER USE A PUBLIC PEER. These degrade the network and make it centralized.' >> /home/$MY_USERNAME/README + echo $'Each node can handle many peers, but no node can handle the entire internet.' >> /home/$MY_USERNAME/README + echo $'As this network grows any public peer will simply become saturated and' >> /home/$MY_USERNAME/README + echo $'useless causing issues for the entire network.' >> /home/$MY_USERNAME/README + echo $'Please report anyone offering you a public peer as they are promoting shared' >> /home/$MY_USERNAME/README + echo $'passwords which could lead to people pretending to be you. A peering pass' >> /home/$MY_USERNAME/README + echo $'should not contain someone elses nickname or info but should contain yours' >> /home/$MY_USERNAME/README + echo $'to ensure it is not shared. It also helps when editing the conf to know who' >> /home/$MY_USERNAME/README + echo $'each password is for.' >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + echo $'Possible cjdns destinations of interest:' >> /home/$MY_USERNAME/README + echo ' http://transitiontech.ca/faq' >> /home/$MY_USERNAME/README + echo ' http://cjdns.ca/hypeirc.txt' >> /home/$MY_USERNAME/README + chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README + chmod 600 /home/$MY_USERNAME/README + fi + + echo 'mesh_cjdns' >> $COMPLETION_FILE +} + +function mesh_cjdns_tools { + if grep -Fxq "mesh_cjdns_tools" $COMPLETION_FILE; then + return + fi + if [[ $ENABLE_CJDNS != "yes" ]]; then + return + fi + if [ ! -d /etc/cjdns ]; then + mesh_cjdns + fi + + function_check select_go_version + select_go_version + + apt-get -y install golang mercurial + if [ ! -f ~/.bashrc ]; then + touch ~/.bashrc + fi + + if [ ! -d /home/git ]; then + # add a gogs user account + adduser --disabled-login --gecos 'Gogs' git + + # install Go + if ! grep -q "export GOPATH=" ~/.bashrc; then + echo "export GOPATH=$GOPATH" >> ~/.bashrc + fi + systemctl set-environment GOPATH=$GOPATH + if ! grep -q "systemctl set-environment GOPATH=" ~/.bashrc; then + echo "systemctl set-environment GOPATH=$GOPATH" >> ~/.bashrc + fi + if [ ! -d $GOPATH ]; then + mkdir -p $GOPATH + fi + fi + + if ! grep -q "export GOPATH=" ~/.bashrc; then + echo "export GOPATH=$GOPATH" >> ~/.bashrc + fi + expected_go_path='export PATH=$PATH:'${GOPATH}'/bin' + export PATH=$PATH:${GOPATH}/bin + if ! grep -q "$expected_go_path" ~/.bashrc; then + echo "$expected_go_path" >> ~/.bashrc + fi + export PATH=$PATH:$GOPATH/bin + CJDCMD_REPO2=$(echo "$CJDCMD_REPO" | sed 's|https://||g') + go get $CJDCMD_REPO2 + if [ ! -f $GOPATH/bin/cjdcmd ]; then + echo $'cjdcmd was not compiled. Check your golang installation' + exit 7439 + fi + cp $GOPATH/bin/cjdcmd /usr/bin + + # initialise from the cjdns config + /usr/bin/cjdcmd cjdnsadmin -file /etc/cjdns/cjdroute.conf + + echo 'mesh_cjdns_tools' >> $COMPLETION_FILE +} + +# NOTE: deliberately no exit 0 diff --git a/src/freedombone-app-dlna b/src/freedombone-app-dlna new file mode 100755 index 00000000..d0d2a875 --- /dev/null +++ b/src/freedombone-app-dlna @@ -0,0 +1,125 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# DLNA application +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +function install_dlna_server { + if grep -Fxq "install_dlna_server" $COMPLETION_FILE; then + return + fi + if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + apt-get -y install minidlna + + if [ ! -f /etc/minidlna.conf ]; then + echo $"ERROR: minidlna does not appear to have installed. $CHECK_MESSAGE" + exit 55 + fi + + sed -i "s|media_dir=/var/lib/minidlna|media_dir=A,/home/$MY_USERNAME/Music|g" /etc/minidlna.conf + if ! grep -q "/home/$MY_USERNAME/Pictures" /etc/minidlna.conf; then + echo "media_dir=P,/home/$MY_USERNAME/Pictures" >> /etc/minidlna.conf + fi + if ! grep -q "/home/$MY_USERNAME/Videos" /etc/minidlna.conf; then + echo "media_dir=V,/home/$MY_USERNAME/Videos" >> /etc/minidlna.conf + fi + if ! grep -q "$USB_MOUNT/Music" /etc/minidlna.conf; then + echo "media_dir=A,$USB_MOUNT/Music" >> /etc/minidlna.conf + fi + if ! grep -q "$USB_MOUNT/Pictures" /etc/minidlna.conf; then + echo "media_dir=P,$USB_MOUNT/Pictures" >> /etc/minidlna.conf + fi + if ! grep -q "$USB_MOUNT/Videos" /etc/minidlna.conf; then + echo "media_dir=V,$USB_MOUNT/Videos" >> /etc/minidlna.conf + fi + sed -i 's/#root_container=./root_container=B/g' /etc/minidlna.conf + if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then + sed -i 's/#network_interface=/network_interface=eth0/g' /etc/minidlna.conf + else + sed -i 's/#network_interface=/network_interface=$WIFI_INTERFACE/g' /etc/minidlna.conf + fi + sed -i "s/#friendly_name=/friendly_name=\"${PROJECT_NAME} Media\"/g" /etc/minidlna.conf + sed -i 's|#db_dir=/var/cache/minidlna|db_dir=/var/cache/minidlna|g' /etc/minidlna.conf + sed -i 's/#inotify=yes/inotify=yes/g' /etc/minidlna.conf + sed -i 's/#notify_interval=895/notify_interval=300/g' /etc/minidlna.conf + sed -i "s|#presentation_url=/|presentation_url=http://localhost:8200|g" /etc/minidlna.conf + service minidlna force-reload + service minidlna reload + + sed -i 's/fs.inotify.max_user_watches*/fs.inotify.max_user_watches=65536/g' /etc/sysctl.conf + if ! grep -q "max_user_watches" $COMPLETION_FILE; then + echo 'fs.inotify.max_user_watches=65536' >> /etc/sysctl.conf + fi + /sbin/sysctl -p + + function_check configure_firewall_for_dlna + configure_firewall_for_dlna + echo 'install_dlna_server' >> $COMPLETION_FILE +} + +function script_for_attaching_usb_drive { + if grep -Fxq "script_for_attaching_usb_drive" $COMPLETION_FILE; then + return + fi + echo '#!/bin/bash' > /usr/bin/attach-music + echo 'remove-music' >> /usr/bin/attach-music + echo "if [ ! -d $USB_MOUNT ]; then" >> /usr/bin/attach-music + echo " mkdir $USB_MOUNT" >> /usr/bin/attach-music + echo 'fi' >> /usr/bin/attach-music + echo "mount /dev/sda1 $USB_MOUNT" >> /usr/bin/attach-music + echo "chown root:root $USB_MOUNT" >> /usr/bin/attach-music + echo "chown -R minidlna:minidlna $USB_MOUNT/*" >> /usr/bin/attach-music + echo 'service minidlna restart' >> /usr/bin/attach-music + echo 'minidlnad -R' >> /usr/bin/attach-music + chmod +x /usr/bin/attach-music + ln -s /usr/bin/attach-music /usr/bin/attach-usb + ln -s /usr/bin/attach-music /usr/bin/attach-videos + ln -s /usr/bin/attach-music /usr/bin/attach-pictures + ln -s /usr/bin/attach-music /usr/bin/attach-media + + echo '#!/bin/bash' > /usr/bin/remove-music + echo "if [ -d $USB_MOUNT ]; then" >> /usr/bin/remove-music + echo " umount $USB_MOUNT" >> /usr/bin/remove-music + echo " rm -rf $USB_MOUNT" >> /usr/bin/remove-music + echo 'fi' >> /usr/bin/remove-music + chmod +x /usr/bin/remove-music + ln -s /usr/bin/remove-music /usr/bin/detach-music + ln -s /usr/bin/remove-music /usr/bin/detach-usb + ln -s /usr/bin/remove-music /usr/bin/remove-usb + ln -s /usr/bin/remove-music /usr/bin/detach-media + ln -s /usr/bin/remove-music /usr/bin/remove-media + ln -s /usr/bin/remove-music /usr/bin/detach-videos + ln -s /usr/bin/remove-music /usr/bin/remove-videos + ln -s /usr/bin/remove-music /usr/bin/detach-pictures + ln -s /usr/bin/remove-music /usr/bin/remove-pictures + + echo 'script_for_attaching_usb_drive' >> $COMPLETION_FILE +} + +# NOTE: deliberately no exit 0 diff --git a/src/freedombone-app-editor b/src/freedombone-app-editor new file mode 100755 index 00000000..c7cbe156 --- /dev/null +++ b/src/freedombone-app-editor @@ -0,0 +1,113 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# Editor applications +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +function install_editor { + if grep -Fxq "install_editor" $COMPLETION_FILE; then + return + fi + update-alternatives --set editor /usr/bin/emacs24 + + # A minimal emacs configuration + #echo -n "(add-to-list 'load-path " > /home/$MY_USERNAME/.emacs + #echo '"~/.emacs.d/")' >> /home/$MY_USERNAME/.emacs + #echo '' >> /home/$MY_USERNAME/.emacs + echo $';; ===== Remove trailing whitepace ======================================' >> /home/$MY_USERNAME/.emacs + echo '' >> /home/$MY_USERNAME/.emacs + echo ";;(add-hook 'before-save-hook 'delete-trailing-whitespace)" >> /home/$MY_USERNAME/.emacs + echo '' >> /home/$MY_USERNAME/.emacs + echo ';; Goto a line number with CTRL-l' >> /home/$MY_USERNAME/.emacs + echo -n '(global-set-key "\C-l" ' >> /home/$MY_USERNAME/.emacs + echo "'goto-line)" >> /home/$MY_USERNAME/.emacs + echo '' >> /home/$MY_USERNAME/.emacs + echo $';; ===== Show line numbers ==============================================' >> /home/$MY_USERNAME/.emacs + echo '' >> /home/$MY_USERNAME/.emacs + echo "(add-hook 'find-file-hook (lambda () (linum-mode 1)))" >> /home/$MY_USERNAME/.emacs + echo '' >> /home/$MY_USERNAME/.emacs + echo $';; ===== Enable line wrapping in org-mode ===============================' >> /home/$MY_USERNAME/.emacs + echo '' >> /home/$MY_USERNAME/.emacs + echo " (add-hook 'org-mode-hook" >> /home/$MY_USERNAME/.emacs + echo " '(lambda ()" >> /home/$MY_USERNAME/.emacs + echo " (visual-line-mode 1)))" >> /home/$MY_USERNAME/.emacs + echo '' >> /home/$MY_USERNAME/.emacs + echo $';; ===== Enable shift select in org mode ================================' >> /home/$MY_USERNAME/.emacs + echo '' >> /home/$MY_USERNAME/.emacs + echo '(setq org-support-shift-select t)' >> /home/$MY_USERNAME/.emacs + echo '' >> /home/$MY_USERNAME/.emacs + echo $';; ===== Set standard indent to 4 rather that 4 =========================' >> /home/$MY_USERNAME/.emacs + echo '' >> /home/$MY_USERNAME/.emacs + echo '(setq standard-indent 4)' >> /home/$MY_USERNAME/.emacs + echo '(setq-default tab-width 4)' >> /home/$MY_USERNAME/.emacs + echo '(setq c-basic-offset 4)' >> /home/$MY_USERNAME/.emacs + echo '' >> /home/$MY_USERNAME/.emacs + echo $';; ===== Support Wheel Mouse Scrolling ==================================' >> /home/$MY_USERNAME/.emacs + echo '' >> /home/$MY_USERNAME/.emacs + echo '(mouse-wheel-mode t)' >> /home/$MY_USERNAME/.emacs + echo '' >> /home/$MY_USERNAME/.emacs + echo $';; ===== Place Backup Files in Specific Directory =======================' >> /home/$MY_USERNAME/.emacs + echo '' >> /home/$MY_USERNAME/.emacs + echo '(setq make-backup-files t)' >> /home/$MY_USERNAME/.emacs + echo '(setq version-control t)' >> /home/$MY_USERNAME/.emacs + echo '(setq backup-directory-alist (quote ((".*" . "~/.emacs_backups/"))))' >> /home/$MY_USERNAME/.emacs + echo '' >> /home/$MY_USERNAME/.emacs + echo $';; ===== Make Text mode the default mode for new buffers ================' >> /home/$MY_USERNAME/.emacs + echo '' >> /home/$MY_USERNAME/.emacs + echo "(setq default-major-mode 'text-mode)" >> /home/$MY_USERNAME/.emacs + echo '' >> /home/$MY_USERNAME/.emacs + echo $';; ===== Line length ====================================================' >> /home/$MY_USERNAME/.emacs + echo '' >> /home/$MY_USERNAME/.emacs + echo '(setq-default fill-column 72)' >> /home/$MY_USERNAME/.emacs + echo '' >> /home/$MY_USERNAME/.emacs + echo $';; ===== Enable Line and Column Numbering ===============================' >> /home/$MY_USERNAME/.emacs + echo '' >> /home/$MY_USERNAME/.emacs + echo '(line-number-mode 1)' >> /home/$MY_USERNAME/.emacs + echo '(column-number-mode 1)' >> /home/$MY_USERNAME/.emacs + echo '' >> /home/$MY_USERNAME/.emacs + echo $';; ===== Turn on Auto Fill mode automatically in all modes ==============' >> /home/$MY_USERNAME/.emacs + echo '' >> /home/$MY_USERNAME/.emacs + echo ';; Auto-fill-mode the the automatic wrapping of lines and insertion of' >> /home/$MY_USERNAME/.emacs + echo ';; newlines when the cursor goes over the column limit.' >> /home/$MY_USERNAME/.emacs + echo '' >> /home/$MY_USERNAME/.emacs + echo ';; This should actually turn on auto-fill-mode by default in all major' >> /home/$MY_USERNAME/.emacs + echo ';; modes. The other way to do this is to turn on the fill for specific modes' >> /home/$MY_USERNAME/.emacs + echo ';; via hooks.' >> /home/$MY_USERNAME/.emacs + echo '' >> /home/$MY_USERNAME/.emacs + echo '(setq auto-fill-mode 1)' >> /home/$MY_USERNAME/.emacs + echo '' >> /home/$MY_USERNAME/.emacs + echo $';; ===== Enable GPG encryption =========================================' >> /home/$MY_USERNAME/.emacs + echo '' >> /home/$MY_USERNAME/.emacs + echo "(require 'epa)" >> /home/$MY_USERNAME/.emacs + echo '(epa-file-enable)' >> /home/$MY_USERNAME/.emacs + cp /home/$MY_USERNAME/.emacs /root/.emacs + chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.emacs + + echo 'install_editor' >> $COMPLETION_FILE +} + +# NOTE: deliberately no exit 0 diff --git a/src/freedombone-app-email b/src/freedombone-app-email new file mode 100755 index 00000000..ff1a2cc4 --- /dev/null +++ b/src/freedombone-app-email @@ -0,0 +1,1501 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# Email functions +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# the default email address +MY_EMAIL_ADDRESS=$MY_USERNAME@$DEFAULT_DOMAIN_NAME + +# If you want to run a public mailing list specify its name here. +# There should be no spaces in the name +PUBLIC_MAILING_LIST= +# Optional different domain name for the public mailing list +PUBLIC_MAILING_LIST_DOMAIN_NAME= +# Directory where the public mailing list data is stored +PUBLIC_MAILING_LIST_DIRECTORY="/var/spool/mlmmj" + +# If you want to run an encrypted mailing list specify its name here. +# There should be no spaces in the name +PRIVATE_MAILING_LIST= + +GPG_KEYSERVER="hkp://keys.gnupg.net" + +# whether to encrypt all incoming email with your public key +GPG_ENCRYPT_STORED_EMAIL="yes" + +# gets set to yes if gpg keys are imported from usb +GPG_KEYS_IMPORTED="no" + +# optionally you can provide your exported GPG key pair here +# Note that the private key file will be deleted after use +# If these are unspecified then a new GPG key will be created +MY_GPG_PUBLIC_KEY= +MY_GPG_PRIVATE_KEY= + +# optionally specify your public key ID +MY_GPG_PUBLIC_KEY_ID= + +# If you have existing mail within a Maildir +# you can specify the directory here and the files +# will be imported +IMPORT_MAILDIR= + +EXIM_ONION_REPO="https://github.com/petterreinholdtsen/exim4-smtorp" + +# automatic archiving of email +CLEANUP_MAILDIR_REPO="https://github.com/bashrc/cleanup-maildir" +CLEANUP_MAILDIR_COMMIT='33241d2e3861f901ba17f5c77ada007e1ec06a86' + +# email encryption at rest +GPGIT_REPO="https://github.com/mikecardwell/gpgit" +GPGIT_COMMIT='583dc76119f19420f8a33f606744faa7c8922738' + +# refresh gpg keys every few hours +REFRESH_GPG_KEYS_HOURS=2 + +function encrypt_incoming_email { + # encrypts incoming mail using your GPG public key + # so even if an attacker gains access to the data at rest they still need + # to know your GPG key password to be able to read anything + if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + + # update to the next commit + function_check set_repo_commit + set_repo_commit $INSTALL_DIR/gpgit "gpgit commit" "$GPGIT_COMMIT" $GPGIT_REPO + + if grep -Fxq "encrypt_incoming_email" $COMPLETION_FILE; then + return + fi + + if [[ $GPG_ENCRYPT_STORED_EMAIL != "yes" ]]; then + return + fi + + if [ ! -f /usr/bin/gpgit.pl ]; then + apt-get -y install git libmail-gnupg-perl + cd $INSTALL_DIR + function_check git_clone + git_clone $GPGIT_REPO $INSTALL_DIR/gpgit + cd $INSTALL_DIR/gpgit + git checkout $GPGIT_COMMIT -b $GPGIT_COMMIT + if ! grep -q "gpgit commit" $COMPLETION_FILE; then + echo "gpgit commit:$GPGIT_COMMIT" >> $COMPLETION_FILE + else + sed -i "s/gpgit commit.*/gpgit commit:$GPGIT_COMMIT/g" $COMPLETION_FILE + fi + cp gpgit.pl /usr/bin + fi + + # add a procmail rule + if ! grep -q "/usr/bin/gpgit.pl" /home/$MY_USERNAME/.procmailrc; then + echo '' >> /home/$MY_USERNAME/.procmailrc + echo ':0 f' >> /home/$MY_USERNAME/.procmailrc + echo "| /usr/bin/gpgit.pl --encrypt-mode prefer-inline --inline-flatten $MY_EMAIL_ADDRESS" >> /home/$MY_USERNAME/.procmailrc + chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.procmailrc + echo '' >> /etc/skel/.procmailrc + echo ':0 f' >> /etc/skel/.procmailrc + echo -n '| /usr/bin/gpgit.pl --encrypt-mode prefer-inline --inline-flatten $USER@' >> /etc/skel/.procmailrc + echo "$DEFAULT_DOMAIN_NAME" >> /etc/skel/.procmailrc + fi + echo 'encrypt_incoming_email' >> $COMPLETION_FILE +} + +function encrypt_outgoing_email { + # encrypts outgoing mail using your GPG public key + # so even if an attacker gains access to the data at rest they still need + # to know your GPG key password to be able to read sent mail + if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + if grep -Fxq "encrypt_outgoing_email" $COMPLETION_FILE; then + return + fi + if [[ $GPG_ENCRYPT_STORED_EMAIL != "yes" ]]; then + return + fi + + if [ ! -d /home/$MY_USERNAME/.gnupg ]; then + return + fi + + if [ ! -f /home/$MY_USERNAME/.muttrc ]; then + return + fi + + # obtain your public key ID + if [ ! $MY_GPG_PUBLIC_KEY_ID ]; then + MY_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$MY_USERNAME" "$MY_EMAIL_ADDRESS") + if [ ! "$MY_GPG_PUBLIC_KEY_ID" ]; then + return + fi + if [ ${#MY_GPG_PUBLIC_KEY_ID} -lt 4 ]; then + return + fi + fi + + if ! grep -q "pgp_encrypt_only_command" /home/$MY_USERNAME/.muttrc; then + echo '' >> /home/$MY_USERNAME/.muttrc + echo $'# Encrypt items in the Sent folder' >> /home/$MY_USERNAME/.muttrc + echo "set pgp_encrypt_only_command=\"/usr/lib/mutt/pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --always-trust --encrypt-to 0x$MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"" >> /home/$MY_USERNAME/.muttrc + else + sed -i "s|set pgp_encrypt_only_command.*|set pgp_encrypt_only_command=\"/usr/lib/mutt/pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --always-trust --encrypt-to 0x$MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"|g" /home/$MY_USERNAME/.muttrc + fi + + if ! grep -q "pgp_encrypt_sign_command" /home/$MY_USERNAME/.muttrc; then + echo "set pgp_encrypt_sign_command=\"/usr/lib/mutt/pgpewrap gpg %?p?--passphrase-fd 0? --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --always-trust --encrypt-to 0x$MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"" >> /home/$MY_USERNAME/.muttrc + else + sed -i "s|set pgp_encrypt_sign_command.*|set pgp_encrypt_sign_command=\"/usr/lib/mutt/pgpewrap gpg %?p?--passphrase-fd 0? --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --always-trust --encrypt-to 0x$MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"|g" /home/$MY_USERNAME/.muttrc + fi + + echo 'encrypt_outgoing_email' >> $COMPLETION_FILE +} + +function encrypt_all_email { + if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + if [[ $GPG_ENCRYPT_STORED_EMAIL != "yes" ]]; then + return + fi + + if [ -f /usr/local/bin/${PROJECT_NAME}-encrypt-mail ]; then + cp /usr/local/bin/${PROJECT_NAME}-encrypt-mail /usr/bin/encmaildir + else + cp /usr/bin/${PROJECT_NAME}-encrypt-mail /usr/bin/encmaildir + fi + chmod +x /usr/bin/encmaildir + + if grep -Fxq "encrypt_all_email" $COMPLETION_FILE; then + return + fi + + if [ ! /home/$MY_USERNAME/README ]; then + touch /home/$MY_USERNAME/README + fi + if ! grep -q $"If you have imported legacy email which is not encrypted" /home/$MY_USERNAME/README; then + echo '' >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + echo $'Encrypting legacy email' >> /home/$MY_USERNAME/README + echo '=======================' >> /home/$MY_USERNAME/README + echo $'If you have imported legacy email which is not encrypted' >> /home/$MY_USERNAME/README + echo $'then it can be encrypted with the command:' >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + echo ' encmaildir' >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + echo $'But be warned that depending upon how much email you have' >> /home/$MY_USERNAME/README + echo $'this could take a seriously LONG time on the Beaglebone' >> /home/$MY_USERNAME/README + echo $'and may be better done on a faster machine.' >> /home/$MY_USERNAME/README + chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README + chmod 600 /home/$MY_USERNAME/README + fi + + echo 'encrypt_all_email' >> $COMPLETION_FILE +} + +function email_client { + if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + if grep -Fxq "email_client" $COMPLETION_FILE; then + return + fi + apt-get -y install mutt-patched lynx abook + + if [ ! -f /etc/Muttrc ]; then + echo $"ERROR: Mutt does not appear to have installed. $CHECK_MESSAGE" + exit 49 + fi + + if [ ! -d /home/$MY_USERNAME/.mutt ]; then + mkdir /home/$MY_USERNAME/.mutt + fi + echo "text/html; lynx -dump -width=78 -nolist %s | sed ‘s/^ //’; copiousoutput; needsterminal; nametemplate=%s.html" > /home/$MY_USERNAME/.mutt/mailcap + cp /home/$MY_USERNAME/.mutt/mailcap /etc/skel/.mutt + chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.mutt + chown -R root:root /etc/skel/.mutt + + echo 'set mbox_type=Maildir' >> /etc/Muttrc + echo 'set folder="~/Maildir"' >> /etc/Muttrc + echo 'set mask="!^\\.[^.]"' >> /etc/Muttrc + echo 'set mbox="~/Maildir"' >> /etc/Muttrc + echo 'set record="+Sent"' >> /etc/Muttrc + echo 'set postponed="+Drafts"' >> /etc/Muttrc + echo 'set trash="+Trash"' >> /etc/Muttrc + echo 'set spoolfile="~/Maildir"' >> /etc/Muttrc + echo 'auto_view text/x-vcard text/html text/enriched' >> /etc/Muttrc + echo 'set editor="emacs -q --load ~/.emacs-mutt"' >> /etc/Muttrc + echo 'set header_cache="+.cache"' >> /etc/Muttrc + echo '' >> /etc/Muttrc + echo 'macro index S "=.learn-spam" "move to learn-spam"' >> /etc/Muttrc + echo 'macro pager S "=.learn-spam" "move to learn-spam"' >> /etc/Muttrc + echo 'macro index H "=.learn-ham" "copy to learn-ham"' >> /etc/Muttrc + echo 'macro pager H "=.learn-ham" "copy to learn-ham"' >> /etc/Muttrc + echo '' >> /etc/Muttrc + echo '# set up the sidebar' >> /etc/Muttrc + echo 'set sidebar_width=22' >> /etc/Muttrc + echo 'set sidebar_visible=yes' >> /etc/Muttrc + echo "set sidebar_delim='|'" >> /etc/Muttrc + echo 'set sidebar_sort=yes' >> /etc/Muttrc + echo '' >> /etc/Muttrc + echo 'set rfc2047_parameters' >> /etc/Muttrc + echo '' >> /etc/Muttrc + echo '# Show inbox and sent items' >> /etc/Muttrc + echo 'mailboxes = =Sent =maybe-spam =spam' >> /etc/Muttrc + echo '' >> /etc/Muttrc + echo '# Alter these colours as needed for maximum bling' >> /etc/Muttrc + echo 'color sidebar_new yellow default' >> /etc/Muttrc + echo 'color normal white default' >> /etc/Muttrc + echo 'color hdrdefault brightcyan default' >> /etc/Muttrc + echo 'color signature green default' >> /etc/Muttrc + echo 'color attachment brightyellow default' >> /etc/Muttrc + echo 'color quoted green default' >> /etc/Muttrc + echo 'color quoted1 white default' >> /etc/Muttrc + echo 'color tilde blue default' >> /etc/Muttrc + echo '' >> /etc/Muttrc + echo '# ctrl-n, ctrl-p to select next, prev folder' >> /etc/Muttrc + echo '# ctrl-o to open selected folder' >> /etc/Muttrc + echo 'bind index \Cp sidebar-prev' >> /etc/Muttrc + echo 'bind index \Cn sidebar-next' >> /etc/Muttrc + echo 'bind index \Co sidebar-open' >> /etc/Muttrc + echo 'bind pager \Cp sidebar-prev' >> /etc/Muttrc + echo 'bind pager \Cn sidebar-next' >> /etc/Muttrc + echo 'bind pager \Co sidebar-open' >> /etc/Muttrc + echo '' >> /etc/Muttrc + echo '# ctrl-b toggles sidebar visibility' >> /etc/Muttrc + echo "macro index,pager \Cb 'toggle sidebar_visible' 'toggle sidebar'" >> /etc/Muttrc + echo '' >> /etc/Muttrc + echo '# esc-m Mark new messages as read' >> /etc/Muttrc + echo 'macro index m "T~N;WNT~O;WO\CT~T" "mark all messages read"' >> /etc/Muttrc + echo '' >> /etc/Muttrc + echo '# Collapsing threads' >> /etc/Muttrc + echo 'macro index [ "" "collapse/uncollapse thread"' >> /etc/Muttrc + echo 'macro index ] "" "collapse/uncollapse all threads"' >> /etc/Muttrc + echo '' >> /etc/Muttrc + echo '# threads containing new messages' >> /etc/Muttrc + echo 'uncolor index "~(~N)"' >> /etc/Muttrc + echo 'color index brightblue default "~(~N)"' >> /etc/Muttrc + echo '' >> /etc/Muttrc + echo '# new messages themselves' >> /etc/Muttrc + echo 'uncolor index "~N"' >> /etc/Muttrc + echo 'color index brightyellow default "~N"' >> /etc/Muttrc + echo '' >> /etc/Muttrc + echo '# GPG/PGP integration' >> /etc/Muttrc + echo '# this set the number of seconds to keep in memory the passphrase used to encrypt/sign' >> /etc/Muttrc + echo 'set pgp_timeout=1800' >> /etc/Muttrc + echo '' >> /etc/Muttrc + echo '# automatically sign and encrypt with PGP/MIME' >> /etc/Muttrc + echo 'set pgp_autosign # autosign all outgoing mails' >> /etc/Muttrc + echo 'set pgp_autoencrypt # Try to encrypt automatically' >> /etc/Muttrc + echo 'set pgp_replyencrypt # autocrypt replies to crypted' >> /etc/Muttrc + echo 'set pgp_replysign # autosign replies to signed' >> /etc/Muttrc + echo 'set pgp_auto_decode=yes # decode attachments' >> /etc/Muttrc + echo 'set fcc_clear=no # Keep encrypted copy of sent encrypted mail' >> /etc/Muttrc + echo 'unset smime_is_default' >> /etc/Muttrc + echo '' >> /etc/Muttrc + echo 'set alias_file=~/.mutt-alias' >> /etc/Muttrc + echo 'source ~/.mutt-alias' >> /etc/Muttrc + echo 'set query_command= "abook --mutt-query \"%s\""' >> /etc/Muttrc + echo 'macro index,pager A "abook --add-email-quiet" "add the sender address to abook"' >> /etc/Muttrc + echo '' >> /etc/Muttrc + echo '# Optional relay of SMTP via ISP' >> /etc/Muttrc + echo '#set smtp_url="smtps://username:password@isp_mail_domain:465/"' >> /etc/Muttrc + + # create an Emacs configuration specifically for use with Mutt, which + # has word wrap and spell checking on by default + echo "(add-hook 'before-save-hook 'delete-trailing-whitespace)" > /home/$MY_USERNAME/.emacs-mutt + echo '(setq org-support-shift-select t)' >> /home/$MY_USERNAME/.emacs-mutt + echo '(setq standard-indent 4)' >> /home/$MY_USERNAME/.emacs-mutt + echo '(setq-default tab-width 4)' >> /home/$MY_USERNAME/.emacs-mutt + echo '(setq c-basic-offset 4)' >> /home/$MY_USERNAME/.emacs-mutt + echo '(mouse-wheel-mode t)' >> /home/$MY_USERNAME/.emacs-mutt + echo '(setq make-backup-files t)' >> /home/$MY_USERNAME/.emacs-mutt + echo '(setq version-control t)' >> /home/$MY_USERNAME/.emacs-mutt + echo '(setq backup-directory-alist (quote ((".*" . "~/.emacs_backups/"))))' >> /home/$MY_USERNAME/.emacs-mutt + echo "(setq default-major-mode 'text-mode)" >> /home/$MY_USERNAME/.emacs-mutt + echo "(dolist (hook '(text-mode-hook))" >> /home/$MY_USERNAME/.emacs-mutt + echo ' (add-hook hook (lambda () (flyspell-mode 1))))' >> /home/$MY_USERNAME/.emacs-mutt + echo '(setq-default fill-column 72)' >> /home/$MY_USERNAME/.emacs-mutt + echo '(setq auto-fill-mode 0)' >> /home/$MY_USERNAME/.emacs-mutt + echo "(add-hook 'text-mode-hook 'turn-on-auto-fill)" >> /home/$MY_USERNAME/.emacs-mutt + echo "(setq-default auto-fill-function 'do-auto-fill)" >> /home/$MY_USERNAME/.emacs-mutt + + # add the emacs mutt configuration to the user profile skeleton + if [ ! -f /etc/skel/.emacs-mutt ]; then + cp /home/$MY_USERNAME/.emacs-mutt /etc/skel/.emacs-mutt + chown root:root /etc/skel/.emacs-mutt + fi + + cp -f /etc/Muttrc /home/$MY_USERNAME/.muttrc + cp -f /etc/Muttrc /etc/skel/.muttrc + touch /home/$MY_USERNAME/.mutt-alias + cp /home/$MY_USERNAME/.mutt-alias /etc/skel/.mutt-alias + chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.emacs-mutt + chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.muttrc + chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.mutt-alias + + # default user on generic images + if [ -d /home/${GENERIC_IMAGE_USERNAME} ]; then + cp -f /etc/Muttrc /home/${GENERIC_IMAGE_USERNAME}/.muttrc + chown ${GENERIC_IMAGE_USERNAME}:${GENERIC_IMAGE_USERNAME} /home/${GENERIC_IMAGE_USERNAME}/.muttrc + touch /home/${GENERIC_IMAGE_USERNAME}/.mutt-alias + chown ${GENERIC_IMAGE_USERNAME}:${GENERIC_IMAGE_USERNAME} /home/${GENERIC_IMAGE_USERNAME}/.mutt-alias + cp /etc/skel/.emacs-mutt /home/${GENERIC_IMAGE_USERNAME}/.emacs-mutt + chown ${GENERIC_IMAGE_USERNAME}:${GENERIC_IMAGE_USERNAME} /home/${GENERIC_IMAGE_USERNAME}/.emacs-mutt + fi + + echo 'email_client' >> $COMPLETION_FILE +} + +function email_archiving { + if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + + # ensure that the mail archive script is up to date + if [ -f /usr/local/bin/${PROJECT_NAME}-archive-mail ]; then + cp /usr/local/bin/${PROJECT_NAME}-archive-mail /etc/cron.daily/archivemail + else + if [ -f /usr/bin/${PROJECT_NAME}-archive-mail ]; then + cp /usr/bin/${PROJECT_NAME}-archive-mail /etc/cron.daily/archivemail + else + echo "/usr/bin/${PROJECT_NAME}-archive-mail was not found. ${PROJECT_NAME} might not have fully installed." + exit 62379 + fi + fi + chmod +x /etc/cron.daily/archivemail + + # update to the next commit + function_check set_repo_commit + set_repo_commit $INSTALL_DIR/cleanup-maildir "cleanup-maildir commit" "$CLEANUP_MAILDIR_COMMIT" $CLEANUP_MAILDIR_REPO + + if grep -Fxq "email_archiving" $COMPLETION_FILE; then + return + fi + + if [ ! -d $INSTALL_DIR ]; then + mkdir $INSTALL_DIR + fi + cd $INSTALL_DIR + function_check git_clone + git_clone $CLEANUP_MAILDIR_REPO $INSTALL_DIR/cleanup-maildir + cd $INSTALL_DIR/cleanup-maildir + git checkout $CLEANUP_MAILDIR_COMMIT -b $CLEANUP_MAILDIR_COMMIT + if ! grep -q "cleanup-maildir commit" $COMPLETION_FILE; then + echo "cleanup-maildir commit:$CLEANUP_MAILDIR_COMMIT" >> $COMPLETION_FILE + else + sed -i "s/cleanup-maildir commit.*/cleanup-maildir commit:$CLEANUP_MAILDIR_COMMIT/g" $COMPLETION_FILE + fi + + cp $INSTALL_DIR/cleanup-maildir/cleanup-maildir /usr/bin + + echo 'email_archiving' >> $COMPLETION_FILE +} + +# Ensure that the from field is correct when sending email from Mutt +function email_from_address { + if grep -Fxq "email_from_address" $COMPLETION_FILE; then + return + fi + + if [ ! -f /home/$MY_USERNAME/.muttrc ]; then + return + fi + if grep -q "set from=" /home/$MY_USERNAME/.muttrc; then + sed -i "s|set from=.*|set from='$MY_NAME <$MY_EMAIL_ADDRESS>'|g" /home/$MY_USERNAME/.muttrc + else + echo "set from='$MY_NAME <$MY_EMAIL_ADDRESS>'" >> /home/$MY_USERNAME/.muttrc + fi + + echo 'email_from_address' >> $COMPLETION_FILE +} + +function create_public_mailing_list { + if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + if grep -Fxq "create_public_mailing_list" $COMPLETION_FILE; then + return + fi + if [ ! $PUBLIC_MAILING_LIST ]; then + return + fi + # does the mailing list have a separate domain name? + if [ ! $PUBLIC_MAILING_LIST_DOMAIN_NAME ]; then + PUBLIC_MAILING_LIST_DOMAIN_NAME=$DEFAULT_DOMAIN_NAME + fi + + PUBLIC_MAILING_LIST_USER="mlmmj" + + apt-get -y install mlmmj + adduser --system $PUBLIC_MAILING_LIST_USER + addgroup $PUBLIC_MAILING_LIST_USER + adduser $PUBLIC_MAILING_LIST_USER $PUBLIC_MAILING_LIST_USER + + echo '' + echo $"Creating the $PUBLIC_MAILING_LIST mailing list" + echo '' + + # create the list + mlmmj-make-ml -a -L "$PUBLIC_MAILING_LIST" -c $PUBLIC_MAILING_LIST_USER + + echo 'SYSTEM_ALIASES_PIPE_TRANSPORT = address_pipe' > /etc/exim4/conf.d/main/000_localmacros + echo "SYSTEM_ALIASES_USER = $PUBLIC_MAILING_LIST_USER" >> /etc/exim4/conf.d/main/000_localmacros + echo "SYSTEM_ALIASES_GROUP = $PUBLIC_MAILING_LIST_USER" >> /etc/exim4/conf.d/main/000_localmacros + + # router + echo 'mlmmj_router:' > /etc/exim4/conf.d/router/750_exim4-config_mlmmj + echo ' debug_print = "R: mlmmj_router for $local_part@$domain"' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj + echo ' driver = accept' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj + echo ' domains = +mlmmj_domains' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj + echo ' #require_files = MLMMJ_HOME/${lc::$local_part}' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj + echo ' # Use this instead, if you dont want to give Exim rx rights to mlmmj spool.' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj + echo ' # Exim will then spawn a new process running under the UID of "mlmmj".' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj + echo ' require_files = mlmmj:MLMMJ_HOME/${lc::$local_part}' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj + echo ' local_part_suffix = +*' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj + echo ' local_part_suffix_optional' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj + echo ' headers_remove = Delivered-To' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj + echo ' headers_add = Delivered-To: $local_part$local_part_suffix@$domain' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj + echo ' transport = mlmmj_transport' >> /etc/exim4/conf.d/router/750_exim4-config_mlmmj + + # transport + echo 'mlmmj_transport:' > /etc/exim4/conf.d/transport/40_exim4-config_mlmmj + echo ' debug_print = "T: mlmmj_transport for $local_part@$domain"' >> /etc/exim4/conf.d/transport/40_exim4-config_mlmmj + echo ' driver = pipe' >> /etc/exim4/conf.d/transport/40_exim4-config_mlmmj + echo ' return_path_add' >> /etc/exim4/conf.d/transport/40_exim4-config_mlmmj + echo ' user = mlmmj' >> /etc/exim4/conf.d/transport/40_exim4-config_mlmmj + echo ' group = mlmmj' >> /etc/exim4/conf.d/transport/40_exim4-config_mlmmj + echo ' home_directory = MLMMJ_HOME' >> /etc/exim4/conf.d/transport/40_exim4-config_mlmmj + echo ' current_directory = MLMMJ_HOME' >> /etc/exim4/conf.d/transport/40_exim4-config_mlmmj + echo ' command = /usr/bin/mlmmj-receive -F -L MLMMJ_HOME/${lc:$local_part}' >> /etc/exim4/conf.d/transport/40_exim4-config_mlmmj + + if ! grep -q "MLMMJ_HOME=/var/spool/mlmmj" /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs; then + sed -i '/MAIN CONFIGURATION SETTINGS/a\MLMMJ_HOME=/var/spool/mlmmj' /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs + fi + if ! grep -q "domainlist mlmmj_domains =" /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs; then + sed -i "/MLMMJ_HOME/a\domainlist mlmmj_domains = $PUBLIC_MAILING_LIST_DOMAIN_NAME" /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs + fi + + + if ! grep -q "delay_warning_condition =" /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs; then + sed -i '/domainlist mlmmj_domains =/a\delay_warning_condition = ${if match_domain{$domain}{+mlmmj_domains}{no}{yes}}' /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs + fi + if ! grep -q ": +mlmmj_domains" /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs; then + sed -i 's/domainlist relay_to_domains = MAIN_RELAY_TO_DOMAINS/domainlist relay_to_domains = MAIN_RELAY_TO_DOMAINS : +mlmmj_domains/g' /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs + fi + + if ! grep -q "! +mlmmj_domains" /etc/exim4/conf.d/router/200_exim4-config_primary; then + sed -i 's/domains = ! +local_domains/domains = ! +mlmmj_domains : ! +local_domains/g' /etc/exim4/conf.d/router/200_exim4-config_primary + fi + update-exim4.conf.template -r + update-exim4.conf + systemctl restart exim4 + + if ! grep -q $"$PUBLIC_MAILING_LIST mailing list" /home/$MY_USERNAME/README; then + echo '' >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + echo $"$PUBLIC_MAILING_LIST mailing list" >> /home/$MY_USERNAME/README + echo '=================================' >> /home/$MY_USERNAME/README + echo $"To subscribe to the $PUBLIC_MAILING_LIST mailing list send a" >> /home/$MY_USERNAME/README + echo $"cleartext email to $PUBLIC_MAILING_LIST+subscribe@$DEFAULT_DOMAIN_NAME" >> /home/$MY_USERNAME/README + chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README + chmod 600 /home/$MY_USERNAME/README + fi + + ${PROJECT_NAME}-addlist -u $MY_USERNAME -l "$PUBLIC_MAILING_LIST" -s "$PUBLIC_MAILING_LIST" + + echo 'create_public_mailing_list' >> $COMPLETION_FILE +} + +function create_private_mailing_list { + if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + # This installation doesn't work, results in ruby errors + # There is currently no schleuder package for Debian jessie + if grep -Fxq "create_private_mailing_list" $COMPLETION_FILE; then + return + fi + if [ ! $PRIVATE_MAILING_LIST ]; then + return + fi + if [[ $PRIVATE_MAILING_LIST == $MY_USERNAME ]]; then + echo $'The name of the private mailing list should not be the same as your username' + exit 10 + fi + if [ ! $MY_GPG_PUBLIC_KEY ]; then + echo $'To create a private mailing list you need to specify a file' + echo $'containing your exported GPG key within MY_GPG_PUBLIC_KEY at' + echo $'the top of the script' + exit 11 + fi + apt-get -y install ruby ruby-dev ruby-gpgme libgpgme11-dev libmagic-dev + gem install schleuder + schleuder-fix-gem-dependencies + schleuder-init-setup --gem + # NOTE: this is version number sensitive and so might need changing + ln -s /var/lib/gems/2.1.0/gems/schleuder-2.2.4 /var/lib/schleuder + sed -i 's/#smtp_port: 25/smtp_port: 465/g' /etc/schleuder/schleuder.conf + sed -i 's/#superadminaddr: root@localhost/superadminaddr: root@localhost' /etc/schleuder/schleuder.conf + schleuder-newlist $PRIVATE_MAILING_LIST@$DEFAULT_DOMAIN_NAME -realname "$PRIVATE_MAILING_LIST" -adminaddress $MY_EMAIL_ADDRESS -initmember $MY_EMAIL_ADDRESS -initmemberkey $MY_GPG_PUBLIC_KEY -nointeractive + ${PROJECT_NAME}-addemail -u $MY_USERNAME -e $PRIVATE_MAILING_LIST@$DEFAULT_DOMAIN_NAME -l $PRIVATE_MAILING_LIST + + echo 'schleuder:' > /etc/exim4/conf.d/router/550_exim4-config_schleuder + echo ' debug_print = "R: schleuder for $local_part@$domain"' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder + echo ' driver = accept' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder + echo ' local_part_suffix_optional' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder + echo ' local_part_suffix = +* : -bounce : -sendkey' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder + echo ' domains = +local_domains' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder + echo ' user = schleuder' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder + echo ' group = schleuder' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder + echo ' require_files = schleuder:+/var/lib/schleuder/$domain/${local_part}' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder + echo ' transport = schleuder_transport' >> /etc/exim4/conf.d/router/550_exim4-config_schleuder + + echo 'schleuder_transport:' > /etc/exim4/conf.d/transport/30_exim4-config_schleuder + echo ' debug_print = "T: schleuder_transport for $local_part@$domain"' >> /etc/exim4/conf.d/transport/30_exim4-config_schleuder + echo ' driver = pipe' >> /etc/exim4/conf.d/transport/30_exim4-config_schleuder + echo ' home_directory = "/var/lib/schleuder/$domain/$local_part"' >> /etc/exim4/conf.d/transport/30_exim4-config_schleuder + echo ' command = "/usr/bin/schleuder $local_part@$domain"' >> /etc/exim4/conf.d/transport/30_exim4-config_schleuder + chown -R schleuder:schleuder /var/lib/schleuder + update-exim4.conf.template -r + update-exim4.conf + systemctl restart exim4 + useradd -d /var/schleuderlists -s /bin/false schleuder + adduser Debian-exim schleuder + usermod -a -G mail schleuder + #exim -d -bt $PRIVATE_MAILING_LIST@$DEFAULT_DOMAIN_NAME + echo 'create_private_mailing_list' >> $COMPLETION_FILE +} + +function split_gpg_key_into_fragments { + # split the gpg key into fragments if social key management is enabled + if [[ $ENABLE_SOCIAL_KEY_MANAGEMENT == "yes" ]]; then + echo 'Splitting GPG key. You may need to enter your passphrase.' + ${PROJECT_NAME}-splitkey -u $MY_USERNAME -e $MY_EMAIL_ADDRESS --fullname "$MY_NAME" + if [ ! -d /home/$MY_USERNAME/.gnupg_fragments ]; then + echo 'Yhe GPG key could not be split' + exit 86548 + fi + fi +} + +function import_email { + if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + EMAIL_COMPLETE_MSG=$" + *** ${PROJECT_NAME} mailbox installation is complete *** + + Now on your internet router forward ports + 25, 587, 465, 993 and 2222 to the ${PROJECT_NAME} +" + if grep -Fxq "import_email" $COMPLETION_FILE; then + if [[ $SYSTEM_TYPE == "$VARIANT_MAILBOX" ]]; then + function_check backup_to_friends_servers + backup_to_friends_servers + + function_check intrusion_detection + intrusion_detection + + function_check split_gpg_key_into_fragments + split_gpg_key_into_fragments + + clear + echo '' + echo "$EMAIL_COMPLETE_MSG" + if [ -d $USB_MOUNT ]; then + umount $USB_MOUNT + rm -rf $USB_MOUNT + echo $' You can now remove the USB drive' + fi + exit 0 + fi + return + fi + if [ $IMPORT_MAILDIR ]; then + if [ -d $IMPORT_MAILDIR ]; then + echo $'Transfering email files' + cp -r $IMPORT_MAILDIR /home/$MY_USERNAME + chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/Maildir + else + echo $"Email import directory $IMPORT_MAILDIR not found" + exit 9 + fi + fi + echo 'import_email' >> $COMPLETION_FILE + if [[ $SYSTEM_TYPE == "$VARIANT_MAILBOX" ]]; then + function_check backup_to_friends_servers + backup_to_friends_servers + + function_check intrusion_detection + intrusion_detection + + function_check split_gpg_key_into_fragments + split_gpg_key_into_fragments + + # unmount any attached usb drive + clear + echo '' + echo "$EMAIL_COMPLETE_MSG" + echo '' + if [ -d $USB_MOUNT ]; then + umount $USB_MOUNT + rm -rf $USB_MOUNT + echo $' You can now remove the USB drive' + fi + exit 0 + fi +} + +function configure_email { + if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + if grep -Fxq "configure_email" $COMPLETION_FILE; then + return + fi + apt-get -y remove postfix + apt-get -y install exim4 sasl2-bin swaks libnet-ssleay-perl procmail xinetd + + if [ ! -d /etc/exim4 ]; then + echo $"ERROR: Exim does not appear to have installed. $CHECK_MESSAGE" + exit 48 + fi + + onion_service_name='email' + if [ ! -d /var/lib/tor ]; then + echo $"No Tor installation found. ${onion_service_name} onion site cannot be configured." + exit 877367 + fi + if ! grep -q "hidden_service_${onion_service_name}" /etc/tor/torrc; then + echo "HiddenServiceDir /var/lib/tor/hidden_service_${onion_service_name}/" >> /etc/tor/torrc + echo 'HiddenServicePort 25 127.0.0.1:25' >> /etc/tor/torrc + echo 'HiddenServicePort 587 127.0.0.1:587' >> /etc/tor/torrc + echo 'HiddenServicePort 465 127.0.0.1:465' >> /etc/tor/torrc + echo 'HiddenServicePort 993 127.0.0.1:993' >> /etc/tor/torrc + echo $"Added onion site for ${onion_service_name}" + fi + + systemctl restart tor + function_check wait_for_onion_service + wait_for_onion_service ${onion_service_name} + + if [ ! -f /var/lib/tor/hidden_service_${onion_service_name}/hostname ]; then + echo $"${onion_service_name} onion site hostname not found" + exit 76362 + fi + EMAIL_ONION_HOSTNAME=$(cat /var/lib/tor/hidden_service_${onion_service_name}/hostname) + + if [[ $ONION_ONLY != "no" ]]; then + function_check set_hostname + set_hostname ${EMAIL_ONION_HOSTNAME} + MY_EMAIL_ADDRESS=${MY_USERNAME}@${DEFAULT_DOMAIN_NAME} + fi + if ! grep -q "Email onion domain" $COMPLETION_FILE; then + echo "Email onion domain:${EMAIL_ONION_HOSTNAME}" >> $COMPLETION_FILE + else + sed -i "s|Email onion domain.*|Email onion domain:${EMAIL_ONION_HOSTNAME}|g" $COMPLETION_FILE + fi + + # see https://github.com/petterreinholdtsen/exim4-smtorp + echo '# tor stuff first' > /etc/exim4/conf.d/router/100_exim4-smtorp + echo '#' >> /etc/exim4/conf.d/router/100_exim4-smtorp + echo '# if were submitting mail *from* a .tor/.onion address,' >> /etc/exim4/conf.d/router/100_exim4-smtorp + echo '# make sure any header lines that may give us away is' >> /etc/exim4/conf.d/router/100_exim4-smtorp + echo '# stripped out, and add a new, cryptic Message-ID.' >> /etc/exim4/conf.d/router/100_exim4-smtorp + echo '# In address_data we store the name we should HELO as.' >> /etc/exim4/conf.d/router/100_exim4-smtorp + echo 'tor_to_any:' >> /etc/exim4/conf.d/router/100_exim4-smtorp + echo ' debug_print = "R: manualroute from .onion to $local_part@$domain"' >> /etc/exim4/conf.d/router/100_exim4-smtorp + echo ' driver = manualroute' >> /etc/exim4/conf.d/router/100_exim4-smtorp + echo ' domains = ! +local_domains' >> /etc/exim4/conf.d/router/100_exim4-smtorp + echo ' condition = ${if match {$sender_address_domain}{\N.*\.(onion|tor)$\N}}' >> /etc/exim4/conf.d/router/100_exim4-smtorp + echo ' address_data = $sender_address_domain' >> /etc/exim4/conf.d/router/100_exim4-smtorp + echo ' transport = remote_smtp_onion' >> /etc/exim4/conf.d/router/100_exim4-smtorp + echo ' self = send' >> /etc/exim4/conf.d/router/100_exim4-smtorp + echo ' route_list = * localhost' >> /etc/exim4/conf.d/router/100_exim4-smtorp + echo ' headers_remove = Received:Message-ID:X-Mailer:User-Agent' >> /etc/exim4/conf.d/router/100_exim4-smtorp + echo ' headers_add = Message-ID: <${lc:${sha1:$message_id}}@$sender_address_domain>' >> /etc/exim4/conf.d/router/100_exim4-smtorp + echo '' >> /etc/exim4/conf.d/router/100_exim4-smtorp + echo '# this catches the case where were submitting mail' >> /etc/exim4/conf.d/router/100_exim4-smtorp + echo '# from a regular email address where we dont need to' >> /etc/exim4/conf.d/router/100_exim4-smtorp + echo '# rewrite any headers' >> /etc/exim4/conf.d/router/100_exim4-smtorp + echo 'any_to_tor:' >> /etc/exim4/conf.d/router/100_exim4-smtorp + echo ' debug_print = "R: manualroute for $local_part@$domain"' >> /etc/exim4/conf.d/router/100_exim4-smtorp + echo ' driver = manualroute' >> /etc/exim4/conf.d/router/100_exim4-smtorp + echo ' domains = ! +local_domains' >> /etc/exim4/conf.d/router/100_exim4-smtorp + echo ' transport = remote_smtp_onion' >> /etc/exim4/conf.d/router/100_exim4-smtorp + echo ' self = send' >> /etc/exim4/conf.d/router/100_exim4-smtorp + echo ' route_list = *.onion localhost ; *.tor localhost' >> /etc/exim4/conf.d/router/100_exim4-smtorp + echo ' address_data = $smtp_active_hostname' >> /etc/exim4/conf.d/router/100_exim4-smtorp + + echo 'remote_smtp_onion:' > /etc/exim4/conf.d/transport/100_exim4-smtorp + echo ' debug_print = "T: remote_smtp_onion for $local_part@$original_domain"' >> /etc/exim4/conf.d/transport/100_exim4-smtorp + echo ' driver = smtp' >> /etc/exim4/conf.d/transport/100_exim4-smtorp + echo '' >> /etc/exim4/conf.d/transport/100_exim4-smtorp + echo ' # set helo_data to where we want to connect to,' >> /etc/exim4/conf.d/transport/100_exim4-smtorp + echo ' # for the proxy program tor-smtp' >> /etc/exim4/conf.d/transport/100_exim4-smtorp + echo ' helo_data = "$address_data $original_domain"' >> /etc/exim4/conf.d/transport/100_exim4-smtorp + echo '' >> /etc/exim4/conf.d/transport/100_exim4-smtorp + echo ' # wherever we configured our script at' >> /etc/exim4/conf.d/transport/100_exim4-smtorp + echo ' port = 12668' >> /etc/exim4/conf.d/transport/100_exim4-smtorp + echo '' >> /etc/exim4/conf.d/transport/100_exim4-smtorp + echo ' # cannot use TLS otherwise it will EHLO again!!' >> /etc/exim4/conf.d/transport/100_exim4-smtorp + echo ' hosts_avoid_tls = *' >> /etc/exim4/conf.d/transport/100_exim4-smtorp + + if [ ! -d $INSTALL_DIR ]; then + mkdir -p $INSTALL_DIR + fi + cd $INSTALL_DIR + function_check git_clone + git_clone $EXIM_ONION_REPO $INSTALL_DIR/exim4-smtorp + cd $INSTALL_DIR/exim4-smtorp/tor-smtp + make + if [ ! -f $INSTALL_DIR/exim4-smtorp/tor-smtp/tor-smtp ]; then + echo $'Unable to make tor smtp transport' + exit 52629 + fi + if [ ! -d /usr/lib/exim4-smtorp ]; then + mkdir /usr/lib/exim4-smtorp + fi + cp $INSTALL_DIR/exim4-smtorp/tor-smtp/tor-smtp /usr/lib/exim4-smtorp/tor-smtp + if [ ! -f /usr/lib/exim4-smtorp/tor-smtp ]; then + echo $'Unable to copy tor-smtp' + exit 83503 + fi + cp $INSTALL_DIR/exim4-smtorp/xinetd /etc/xinetd.d/tor-smtp + if [ ! -f /etc/xinetd.d/tor-smtp ]; then + echo $'Unable to copy to xinetd.d' + exit 835954 + fi + systemctl restart xinetd + + # configure for Maildir format + sed -i 's/MAIL_DIR/#MAIL_DIR/g' /etc/login.defs + sed -i 's|#MAIL_FILE.*|MAIL_FILE Maildir/|g' /etc/login.defs + + if ! grep -q "export MAIL" /etc/profile; then + echo 'export MAIL=~/Maildir' >> /etc/profile + fi + + sed -i 's|pam_mail.so standard|pam_mail.so dir=~/Maildir standard|g' /etc/pam.d/login + sed -i 's|pam_mail.so standard noenv|pam_mail.so dir=~/Maildir standard|g' /etc/pam.d/sshd + sed -i 's|pam_mail.so nopen|pam_mail.so dir=~/Maildir nopen|g' /etc/pam.d/su + + echo 'dc_eximconfig_configtype="internet"' > /etc/exim4/update-exim4.conf.conf + if [[ $ONION_ONLY == "no" ]]; then + # both ICANN and onion domains + echo "dc_other_hostnames='${DEFAULT_DOMAIN_NAME};${EMAIL_ONION_HOSTNAME}'" >> /etc/exim4/update-exim4.conf.conf + else + echo "dc_other_hostnames='${EMAIL_ONION_HOSTNAME}'" >> /etc/exim4/update-exim4.conf.conf + fi + echo "dc_local_interfaces=''" >> /etc/exim4/update-exim4.conf.conf + echo "dc_readhost=''" >> /etc/exim4/update-exim4.conf.conf + echo "dc_relay_domains=''" >> /etc/exim4/update-exim4.conf.conf + echo "dc_minimaldns='false'" >> /etc/exim4/update-exim4.conf.conf + RELAY_NETS='192.168.1.0/24' + if [ $LOCAL_NETWORK_STATIC_IP_ADDRESS ]; then + RELAY_NETS=$(echo $LOCAL_NETWORK_STATIC_IP_ADDRESS | awk -F '.' '{print $1 "." $2 "." $3 ".0/24"}') + fi + echo "dc_relay_nets='$RELAY_NETS'" >> /etc/exim4/update-exim4.conf.conf + echo "dc_smarthost=''" >> /etc/exim4/update-exim4.conf.conf + echo "CFILEMODE='644'" >> /etc/exim4/update-exim4.conf.conf + echo "dc_use_split_config='false'" >> /etc/exim4/update-exim4.conf.conf + echo "dc_hide_mailname=''" >> /etc/exim4/update-exim4.conf.conf + echo "dc_mailname_in_oh='true'" >> /etc/exim4/update-exim4.conf.conf + echo "dc_localdelivery='maildir_home'" >> /etc/exim4/update-exim4.conf.conf + update-exim4.conf + sed -i "s/START=no/START=yes/g" /etc/default/saslauthd + systemctl start saslauthd + + # make a tls certificate for email + if [ ! -f /etc/ssl/certs/exim.dhparam ]; then + ${PROJECT_NAME}-addcert -h exim --dhkey $DH_KEYLENGTH + check_certificates exim + fi + cp /etc/ssl/private/exim.key /etc/exim4 + cp /etc/ssl/certs/exim.crt /etc/exim4 + cp /etc/ssl/certs/exim.dhparam /etc/exim4 + chown root:Debian-exim /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam + chmod 640 /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam + + sed -i '/login_saslauthd_server/,/.endif/ s/# *//' /etc/exim4/exim4.conf.template + sed -i "/.ifdef MAIN_HARDCODE_PRIMARY_HOSTNAME/i\MAIN_HARDCODE_PRIMARY_HOSTNAME = $DEFAULT_DOMAIN_NAME\nMAIN_TLS_ENABLE = true" /etc/exim4/exim4.conf.template + sed -i "s|SMTPLISTENEROPTIONS=''|SMTPLISTENEROPTIONS='-oX 465:25:587 -oP /var/run/exim4/exim.pid'|g" /etc/default/exim4 + if ! grep -q "tls_on_connect_ports=465" /etc/exim4/exim4.conf.template; then + sed -i '/SSL configuration for exim/i\tls_on_connect_ports=465' /etc/exim4/exim4.conf.template + fi + + adduser $MY_USERNAME sasl + addgroup Debian-exim sasl + systemctl restart exim4 + if [ ! -d /etc/skel/Maildir ]; then + mkdir -m 700 /etc/skel/.mutt + mkdir -m 700 /etc/skel/Maildir + mkdir -m 700 /etc/skel/Maildir/new + mkdir -m 700 /etc/skel/Maildir/cur + mkdir -m 700 /etc/skel/Maildir/Sent + mkdir -m 700 /etc/skel/Maildir/Sent/tmp + mkdir -m 700 /etc/skel/Maildir/Sent/cur + mkdir -m 700 /etc/skel/Maildir/Sent/new + mkdir -m 700 /etc/skel/Maildir/.learn-spam + mkdir -m 700 /etc/skel/Maildir/.learn-spam/cur + mkdir -m 700 /etc/skel/Maildir/.learn-spam/new + mkdir -m 700 /etc/skel/Maildir/.learn-spam/tmp + mkdir -m 700 /etc/skel/Maildir/.learn-ham + mkdir -m 700 /etc/skel/Maildir/.learn-ham/cur + mkdir -m 700 /etc/skel/Maildir/.learn-ham/new + mkdir -m 700 /etc/skel/Maildir/.learn-ham/tmp + ln -s /etc/skel/Maildir/.learn-spam /etc/skel/Maildir/spam + ln -s /etc/skel/Maildir/.learn-ham /etc/skel/Maildir/ham + fi + + if [ ! -d /home/$MY_USERNAME/Maildir ]; then + mkdir -m 700 /home/$MY_USERNAME/.mutt + mkdir -m 700 /home/$MY_USERNAME/Maildir + mkdir -m 700 /home/$MY_USERNAME/Maildir/cur + mkdir -m 700 /home/$MY_USERNAME/Maildir/tmp + mkdir -m 700 /home/$MY_USERNAME/Maildir/new + mkdir -m 700 /home/$MY_USERNAME/Maildir/Sent + mkdir -m 700 /home/$MY_USERNAME/Maildir/Sent/cur + mkdir -m 700 /home/$MY_USERNAME/Maildir/Sent/tmp + mkdir -m 700 /home/$MY_USERNAME/Maildir/Sent/new + mkdir -m 700 /home/$MY_USERNAME/Maildir/.learn-spam + mkdir -m 700 /home/$MY_USERNAME/Maildir/.learn-spam/cur + mkdir -m 700 /home/$MY_USERNAME/Maildir/.learn-spam/new + mkdir -m 700 /home/$MY_USERNAME/Maildir/.learn-spam/tmp + mkdir -m 700 /home/$MY_USERNAME/Maildir/.learn-ham + mkdir -m 700 /home/$MY_USERNAME/Maildir/.learn-ham/cur + mkdir -m 700 /home/$MY_USERNAME/Maildir/.learn-ham/new + mkdir -m 700 /home/$MY_USERNAME/Maildir/.learn-ham/tmp + ln -s /home/$MY_USERNAME/Maildir/.learn-spam /home/$MY_USERNAME/Maildir/spam + ln -s /home/$MY_USERNAME/Maildir/.learn-ham /home/$MY_USERNAME/Maildir/ham + chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/Maildir + fi + + function_check configure_firewall_for_email + configure_firewall_for_email + echo 'configure_email' >> $COMPLETION_FILE +} + +function create_procmail { + if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + if grep -Fxq "create_procmail" $COMPLETION_FILE; then + return + fi + if [ ! -f /home/$MY_USERNAME/.procmailrc ]; then + echo 'MAILDIR=$HOME/Maildir' > /home/$MY_USERNAME/.procmailrc + echo 'DEFAULT=$MAILDIR/' >> /home/$MY_USERNAME/.procmailrc + echo 'LOGFILE=$HOME/log/procmail.log' >> /home/$MY_USERNAME/.procmailrc + echo 'LOGABSTRACT=all' >> /home/$MY_USERNAME/.procmailrc + echo '' >> /home/$MY_USERNAME/.procmailrc + echo $"# Tripwire reports which have no violations don't need to be logged" >> /home/$MY_USERNAME/.procmailrc + echo ':0 BD:' >> /home/$MY_USERNAME/.procmailrc + TRIPWIRE_VIOLATIONS_STR=$'Total violations found: 0' + echo " * .*$TRIPWIRE_VIOLATIONS_STR" >> /home/$MY_USERNAME/.procmailrc + echo '/dev/null' >> /home/$MY_USERNAME/.procmailrc + echo '' >> /home/$MY_USERNAME/.procmailrc + chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.procmailrc + fi + + mkdir -p /home/$MY_USERNAME/Maildir/admin/new + mkdir -p /home/$MY_USERNAME/Maildir/admin/cur + chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/Maildir/admin + + if [ ! -f /etc/skel/.procmailrc ]; then + cp /home/$MY_USERNAME/.procmailrc /etc/skel/.procmailrc + chown root:root /etc/skel/.procmailrc + fi + + echo 'create_procmail' >> $COMPLETION_FILE +} + +function handle_admin_emails { + # keep emails for root in a separate folder + if [ -d /home/$MY_USERNAME/Maildir/admin ]; then + return + fi + + freedombone-addemail -u $MY_USERNAME -e "root@$DEFAULT_DOMAIN_NAME" -g admin --public no +} + +function spam_filtering { + if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + if grep -Fxq "spam_filtering" $COMPLETION_FILE; then + return + fi + apt-get -y install exim4-daemon-heavy + apt-get -y install spamassassin + if [ ! -f /etc/default/spamassassin ]; then + echo 'Spamassassin was not installed' + exit 72570 + fi + sa-update -v + sed -i 's/ENABLED=0/ENABLED=1/g' /etc/default/spamassassin + sed -i 's/# spamd_address = 127.0.0.1 783/spamd_address = 127.0.0.1 783/g' /etc/exim4/exim4.conf.template + # This configuration is based on https://wiki.debian.org/DebianSpamAssassin + sed -i 's/local_parts = postmaster/local_parts = postmaster:abuse/g' /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt + sed -i '/domains = +local_domains : +relay_to_domains/a\ set acl_m0 = rfcnames' /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt + sed -i 's/accept/accept condition = ${if eq{$acl_m0}{rfcnames} {1}{0}}/g' /etc/exim4/conf.d/acl/40_exim4-config_check_data + echo 'warn message = X-Spam-Score: $spam_score ($spam_bar)' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data + echo ' spam = nobody:true' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data + echo 'warn message = X-Spam-Flag: YES' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data + echo ' spam = nobody' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data + echo 'warn message = X-Spam-Report: $spam_report' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data + echo ' spam = nobody' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data + echo '# reject spam at high scores (> 12)' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data + echo 'deny message = This message scored $spam_score spam points.' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data + echo ' spam = nobody:true' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data + echo ' condition = ${if >{$spam_score_int}{120}{1}{0}}' >> /etc/exim4/conf.d/acl/40_exim4-config_check_data + # procmail configuration + echo '# get spamassassin to check emails' >> /home/$MY_USERNAME/.procmailrc + echo ':0fw: .spamassassin.lock' >> /home/$MY_USERNAME/.procmailrc + echo ' * < 256000' >> /home/$MY_USERNAME/.procmailrc + echo '| spamc' >> /home/$MY_USERNAME/.procmailrc + echo '# strong spam are discarded' >> /home/$MY_USERNAME/.procmailrc + echo ':0' >> /home/$MY_USERNAME/.procmailrc + echo ' * ^X-Spam-Level: \*\*\*\*\*\*' >> /home/$MY_USERNAME/.procmailrc + echo '/dev/null' >> /home/$MY_USERNAME/.procmailrc + echo '# weak spam are kept just in case - clear this out every now and then' >> /home/$MY_USERNAME/.procmailrc + echo ':0' >> /home/$MY_USERNAME/.procmailrc + echo ' * ^X-Spam-Level: \*\*\*\*\*' >> /home/$MY_USERNAME/.procmailrc + echo 'maybe-spam/' >> /home/$MY_USERNAME/.procmailrc + echo '# otherwise, marginal spam goes here for revision' >> /home/$MY_USERNAME/.procmailrc + echo ':0' >> /home/$MY_USERNAME/.procmailrc + echo ' * ^X-Spam-Level: \*\*' >> /home/$MY_USERNAME/.procmailrc + echo 'spam/' >> /home/$MY_USERNAME/.procmailrc + chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.procmailrc + echo '# get spamassassin to check emails' >> /etc/skel/.procmailrc + echo ':0fw: .spamassassin.lock' >> /etc/skel/.procmailrc + echo ' * < 256000' >> /etc/skel/.procmailrc + echo '| spamc' >> /etc/skel/.procmailrc + echo '# strong spam are discarded' >> /etc/skel/.procmailrc + echo ':0' >> /etc/skel/.procmailrc + echo ' * ^X-Spam-Level: \*\*\*\*\*\*' >> /etc/skel/.procmailrc + echo '/dev/null' >> /etc/skel/.procmailrc + echo '# weak spam are kept just in case - clear this out every now and then' >> /etc/skel/.procmailrc + echo ':0' >> /etc/skel/.procmailrc + echo ' * ^X-Spam-Level: \*\*\*\*\*' >> /etc/skel/.procmailrc + echo 'maybe-spam/' >> /etc/skel/.procmailrc + echo '# otherwise, marginal spam goes here for revision' >> /etc/skel/.procmailrc + echo ':0' >> /etc/skel/.procmailrc + echo ' * ^X-Spam-Level: \*\*' >> /etc/skel/.procmailrc + echo 'spam/' >> /etc/skel/.procmailrc + # filtering scripts + echo '#!/bin/bash' > /usr/bin/filterspam + echo 'for d in /home/*/ ; do' >> /usr/bin/filterspam + echo ' USERNAME=$(echo "$d" | awk -F '"'"'/'"'"' '"'"'{print $3}'"'"')' >> /usr/bin/filterspam + echo ' if [[ $USERNAME != "git" && $USERNAME != "mirrors" && $USERNAME != "sync" ]]; then' >> /usr/bin/filterspam + echo ' MAILDIR=/home/$USERNAME/Maildir/.learn-spam' >> /usr/bin/filterspam + echo ' if [ ! -d "$MAILDIR" ]; then' >> /usr/bin/filterspam + echo ' exit' >> /usr/bin/filterspam + echo ' fi' >> /usr/bin/filterspam + echo ' for f in `ls $MAILDIR/cur`' >> /usr/bin/filterspam + echo ' do' >> /usr/bin/filterspam + echo ' spamc -L spam < "$MAILDIR/cur/$f" > /dev/null' >> /usr/bin/filterspam + echo ' rm "$MAILDIR/cur/$f"' >> /usr/bin/filterspam + echo ' done' >> /usr/bin/filterspam + echo ' for f in `ls $MAILDIR/new`' >> /usr/bin/filterspam + echo ' do' >> /usr/bin/filterspam + echo ' spamc -L spam < "$MAILDIR/new/$f" > /dev/null' >> /usr/bin/filterspam + echo ' rm "$MAILDIR/new/$f"' >> /usr/bin/filterspam + echo ' done' >> /usr/bin/filterspam + echo ' fi' >> /usr/bin/filterspam + echo 'done' >> /usr/bin/filterspam + echo 'exit 0' >> /usr/bin/filterspam + + echo '#!/bin/bash' > /usr/bin/filterham + echo 'for d in /home/*/ ; do' >> /usr/bin/filterham + echo ' USERNAME=$(echo "$d" | awk -F '"'"'/'"'"' '"'"'{print $3}'"'"')' >> /usr/bin/filterham + echo ' if [[ $USERNAME != "git" && $USERNAME != "mirrors" && $USERNAME != "sync" ]]; then' >> /usr/bin/filterham + echo ' MAILDIR=/home/$USERNAME/Maildir/.learn-ham' >> /usr/bin/filterham + echo ' if [ ! -d "$MAILDIR" ]; then' >> /usr/bin/filterham + echo ' exit' >> /usr/bin/filterham + echo ' fi' >> /usr/bin/filterham + echo ' for f in `ls $MAILDIR/cur`' >> /usr/bin/filterham + echo ' do' >> /usr/bin/filterham + echo ' spamc -L ham < "$MAILDIR/cur/$f" > /dev/null' >> /usr/bin/filterham + echo ' rm "$MAILDIR/cur/$f"' >> /usr/bin/filterham + echo ' done' >> /usr/bin/filterham + echo ' for f in `ls $MAILDIR/new`' >> /usr/bin/filterham + echo ' do' >> /usr/bin/filterham + echo ' spamc -L ham < "$MAILDIR/new/$f" > /dev/null' >> /usr/bin/filterham + echo ' rm "$MAILDIR/new/$f"' >> /usr/bin/filterham + echo ' done' >> /usr/bin/filterham + echo ' fi' >> /usr/bin/filterham + echo 'done' >> /usr/bin/filterham + echo 'exit 0' >> /usr/bin/filterham + + function_check cron_add_mins + cron_add_mins 3 '/usr/bin/timeout 120 /usr/bin/filterspam' + cron_add_mins 3 '/usr/bin/timeout 120 /usr/bin/filterham' + chmod 655 /usr/bin/filterspam /usr/bin/filterham + sed -i 's/# use_bayes 1/use_bayes 1/g' /etc/mail/spamassassin/local.cf + sed -i 's/# bayes_auto_learn 1/bayes_auto_learn 1/g' /etc/mail/spamassassin/local.cf + + # user preferences + if [ ! -d /home/$MY_USERNAME/.spamassassin ]; then + mkdir /home/$MY_USERNAME/.spamassassin + echo $'# How many points before a mail is considered spam.' > /home/$MY_USERNAME/.spamassassin/user_prefs + echo '# required_score 5' >> /home/$MY_USERNAME/.spamassassin/user_prefs + echo '' >> /home/$MY_USERNAME/.spamassassin/user_prefs + echo $'# Whitelist and blacklist addresses are now file-glob-style patterns, so' >> /home/$MY_USERNAME/.spamassassin/user_prefs + echo $'# "friend@somewhere.com", "*@isp.com", or "*.domain.net" will all work.' >> /home/$MY_USERNAME/.spamassassin/user_prefs + echo '# whitelist_from someone@somewhere.com' >> /home/$MY_USERNAME/.spamassassin/user_prefs + echo '' >> /home/$MY_USERNAME/.spamassassin/user_prefs + echo $'# Add your own customised scores for some tests below. The default scores are' >> /home/$MY_USERNAME/.spamassassin/user_prefs + echo $'# read from the installed spamassassin rules files, but you can override them' >> /home/$MY_USERNAME/.spamassassin/user_prefs + echo $'# here. To see the list of tests and their default scores, go to' >> /home/$MY_USERNAME/.spamassassin/user_prefs + echo '# http://spamassassin.apache.org/tests.html .' >> /home/$MY_USERNAME/.spamassassin/user_prefs + echo '#' >> /home/$MY_USERNAME/.spamassassin/user_prefs + echo '# score SYMBOLIC_TEST_NAME n.nn' >> /home/$MY_USERNAME/.spamassassin/user_prefs + echo '' >> /home/$MY_USERNAME/.spamassassin/user_prefs + echo $'# Speakers of Asian languages, like Chinese, Japanese and Korean, will almost' >> /home/$MY_USERNAME/.spamassassin/user_prefs + echo $'# definitely want to uncomment the following lines. They will switch off some' >> /home/$MY_USERNAME/.spamassassin/user_prefs + echo $'# rules that detect 8-bit characters, which commonly trigger on mails using CJK' >> /home/$MY_USERNAME/.spamassassin/user_prefs + echo $'# character sets, or that assume a western-style charset is in use. ' >> /home/$MY_USERNAME/.spamassassin/user_prefs + echo '# ' >> /home/$MY_USERNAME/.spamassassin/user_prefs + echo '# score HTML_COMMENT_8BITS 0' >> /home/$MY_USERNAME/.spamassassin/user_prefs + echo '# score UPPERCASE_25_50 0' >> /home/$MY_USERNAME/.spamassassin/user_prefs + echo '# score UPPERCASE_50_75 0' >> /home/$MY_USERNAME/.spamassassin/user_prefs + echo '# score UPPERCASE_75_100 0' >> /home/$MY_USERNAME/.spamassassin/user_prefs + echo '# score OBSCURED_EMAIL 0' >> /home/$MY_USERNAME/.spamassassin/user_prefs + echo '' >> /home/$MY_USERNAME/.spamassassin/user_prefs + echo $'# Speakers of any language that uses non-English, accented characters may wish' >> /home/$MY_USERNAME/.spamassassin/user_prefs + echo $'# to uncomment the following lines. They turn off rules that fire on' >> /home/$MY_USERNAME/.spamassassin/user_prefs + echo $'# misformatted messages generated by common mail apps in contravention of the' >> /home/$MY_USERNAME/.spamassassin/user_prefs + echo $'# email RFCs.' >> /home/$MY_USERNAME/.spamassassin/user_prefs + echo '' >> /home/$MY_USERNAME/.spamassassin/user_prefs + echo '# score SUBJ_ILLEGAL_CHARS 0' >> /home/$MY_USERNAME/.spamassassin/user_prefs + fi + # this must be accessible by root + chown -R $MY_USERNAME:root /home/$MY_USERNAME/.spamassassin + + systemctl restart spamassassin + systemctl restart exim4 + systemctl restart cron + + echo 'spam_filtering' >> $COMPLETION_FILE +} + +function configure_imap { + if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + if grep -Fxq "configure_imap" $COMPLETION_FILE; then + return + fi + + dpkg -P dovecot-imapd + dpkg -P dovecot-core + apt-get -y install dovecot-imapd + + if [ ! -d /etc/dovecot ]; then + echo $"ERROR: Dovecot does not appear to have installed. $CHECK_MESSAGE" + exit 48 + fi + + if [ ! -f /etc/ssl/certs/dovecot.dhparam ]; then + ${PROJECT_NAME}-addcert -h dovecot --dhkey $DH_KEYLENGTH + check_certificates dovecot + fi + chown root:dovecot /etc/ssl/certs/dovecot.* + chown root:dovecot /etc/ssl/private/dovecot.* + + if [ ! -f /etc/dovecot/conf.d/10-ssl.conf ]; then + echo $'Unable to find /etc/dovecot/conf.d/10-ssl.conf' + exit 83629 + fi + sed -i 's|#ssl =.*|ssl = required|g' /etc/dovecot/conf.d/10-ssl.conf + sed -i 's|ssl = no|ssl = required|g' /etc/dovecot/conf.d/10-ssl.conf + sed -i 's|ssl = yes|ssl = required|g' /etc/dovecot/conf.d/10-ssl.conf + sed -i 's|#ssl_cert =.*|ssl_cert = > /etc/dovecot/conf.d/10-ssl.conf + + if [ ! -f /etc/dovecot/conf.d/10-master.conf ]; then + echo $'Unable to find /etc/dovecot/conf.d/10-master.conf' + exit 49259 + fi + sed -i 's/#process_limit =.*/process_limit = 100/g' /etc/dovecot/conf.d/10-master.conf + sed -i 's/#default_client_limit.*/default_client_limit = 100/g' /etc/dovecot/conf.d/10-master.conf + sed -i 's|#default_process_limit =.*|default_process_limit = 100|g' /etc/dovecot/conf.d/10-master.conf + + if [ ! -f /etc/dovecot/conf.d/10-logging.conf ]; then + echo $'Unable to find /etc/dovecot/conf.d/10-logging.conf' + exit 48936 + fi + sed -i 's/#auth_verbose.*/auth_verbose = yes/g' /etc/dovecot/conf.d/10-logging.conf + + if [ ! -f /etc/dovecot/dovecot.conf ]; then + echo $'Unable to find /etc/dovecot/dovecot.conf' + exit 43890 + fi + sed -i 's/#listen =.*/listen = */g' /etc/dovecot/dovecot.conf + + if [ ! -f /etc/dovecot/conf.d/10-auth.conf ]; then + echo $'Unable to find /etc/dovecot/conf.d/10-auth.conf' + exit 843256 + fi + sed -i 's/#disable_plaintext_auth =.*/disable_plaintext_auth = no/g' /etc/dovecot/conf.d/10-auth.conf + sed -i 's/auth_mechanisms =.*/auth_mechanisms = plain login/g' /etc/dovecot/conf.d/10-auth.conf + + if [ ! -f /etc/dovecot/conf.d/10-mail.conf ]; then + echo $'Unable to find /etc/dovecot/conf.d/10-mail.conf' + exit 42036 + fi + sed -i 's|mail_location =.*|mail_location = maildir:~/Maildir:LAYOUT=fs|g' /etc/dovecot/conf.d/10-mail.conf + + # This long notify interval makes the system more suited for use with + # battery powered mobile devices + sed -i 's|#imap_idle_notify_interval =.*|imap_idle_notify_interval = 29|g' /etc/dovecot/conf.d/20-imap.conf + + if [ -f /var/lib/dovecot/ssl-parameters.dat ]; then + rm /var/lib/dovecot/ssl-parameters.dat + fi + + systemctl restart dovecot + echo 'configure_imap' >> $COMPLETION_FILE +} + +function configure_imap_client_certs { + if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + if grep -Fxq "configure_imap_client_certs" $COMPLETION_FILE; then + return + fi + # http://strange.systems/certificate-based-auth-with-dovecot-sendmail/ + sed -i 's|#default_process_limit =.*|default_process_limit = 100|g' /etc/dovecot/conf.d/10-master.conf + sed -i 's/disable_plaintext_auth =.*/disable_plaintext_auth = yes/g' /etc/dovecot/conf.d/10-auth.conf + sed -i 's|#auth_ssl_require_client_cert =.*|auth_ssl_require_client_cert = yes|g' /etc/dovecot/conf.d/10-auth.conf + sed -i 's|#auth_ssl_username_from_cert =.*|auth_ssl_username_from_cert = yes|g' /etc/dovecot/conf.d/10-auth.conf + sed -i "s|#ssl_ca =.*|ssl_ca = /etc/ssl/certs/ca-$DEFAULT_DOMAIN_NAME.crt|g" /etc/dovecot/conf.d/10-ssl.conf + sed -i 's|#ssl_cert_username_field =.*|ssl_cert_username_field = commonName|g' /etc/dovecot/conf.d/10-ssl.conf + sed -i 's|#ssl_verify_client_cert =.*|ssl_verify_client_cert = yes|g' /etc/dovecot/conf.d/10-ssl.conf + if ! grep -q "passdb {" /etc/dovecot/conf.d/10-auth.conf; then + echo '' >> /etc/dovecot/conf.d/10-auth.conf + echo 'passdb {' >> /etc/dovecot/conf.d/10-auth.conf + echo ' driver = passwd-file' >> /etc/dovecot/conf.d/10-auth.conf + echo ' args = /etc/dovecot/passwd-file' >> /etc/dovecot/conf.d/10-auth.conf + echo ' deny = no' >> /etc/dovecot/conf.d/10-auth.conf + echo ' master = no' >> /etc/dovecot/conf.d/10-auth.conf + echo ' pass = no' >> /etc/dovecot/conf.d/10-auth.conf + echo '}' >> /etc/dovecot/conf.d/10-auth.conf + fi + if [[ $ONION_ONLY == "no" ]]; then + # make a CA cert + if [ ! -f /etc/ssl/private/ca-$DEFAULT_DOMAIN_NAME.key ]; then + if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then + ${PROJECT_NAME}-addcert -h $DEFAULT_DOMAIN_NAME --ca "" --dhkey $DH_KEYLENGTH + else + ${PROJECT_NAME}-addcert -e $DEFAULT_DOMAIN_NAME -s $LETSENCRYPT_SERVER --ca "" --dhkey $DH_KEYLENGTH --email $MY_EMAIL_ADDRESS + fi + fi + fi + # CA configuration + echo '[ ca ]' > /etc/ssl/dovecot-ca.cnf + echo "default_ca = dovecot-ca" >> /etc/ssl/dovecot-ca.cnf + echo '' >> /etc/ssl/dovecot-ca.cnf + echo '[ crl_ext ]' >> /etc/ssl/dovecot-ca.cnf + echo 'authorityKeyIdentifier=keyid:always' >> /etc/ssl/dovecot-ca.cnf + echo '' >> /etc/ssl/dovecot-ca.cnf + echo '[ dovecot-ca ]' >> /etc/ssl/dovecot-ca.cnf + echo 'new_certs_dir = .' >> /etc/ssl/dovecot-ca.cnf + echo 'unique_subject = no' >> /etc/ssl/dovecot-ca.cnf + echo "certificate = /etc/ssl/certs/ca-$DEFAULT_DOMAIN_NAME.crt" >> /etc/ssl/dovecot-ca.cnf + echo 'database = ssldb' >> /etc/ssl/dovecot-ca.cnf + echo "private_key = /etc/ssl/private/ca-$DEFAULT_DOMAIN_NAME.key" >> /etc/ssl/dovecot-ca.cnf + echo 'serial = sslserial' >> /etc/ssl/dovecot-ca.cnf + echo 'default_days = 3650' >> /etc/ssl/dovecot-ca.cnf + echo 'default_md = sha256' >> /etc/ssl/dovecot-ca.cnf + echo 'default_bits = 4096' >> /etc/ssl/dovecot-ca.cnf + echo 'policy = dovecot-ca_policy' >> /etc/ssl/dovecot-ca.cnf + echo 'x509_extensions = dovecot-ca_extensions' >> /etc/ssl/dovecot-ca.cnf + echo '' >> /etc/ssl/dovecot-ca.cnf + echo '[ dovecot-ca_policy ]' >> /etc/ssl/dovecot-ca.cnf + echo 'commonName = supplied' >> /etc/ssl/dovecot-ca.cnf + echo 'stateOrProvinceName = supplied' >> /etc/ssl/dovecot-ca.cnf + echo 'countryName = supplied' >> /etc/ssl/dovecot-ca.cnf + echo 'emailAddress = optional' >> /etc/ssl/dovecot-ca.cnf + echo 'organizationName = supplied' >> /etc/ssl/dovecot-ca.cnf + echo 'organizationalUnitName = optional' >> /etc/ssl/dovecot-ca.cnf + echo '' >> /etc/ssl/dovecot-ca.cnf + echo '[ dovecot-ca_extensions ]' >> /etc/ssl/dovecot-ca.cnf + echo 'basicConstraints = CA:false' >> /etc/ssl/dovecot-ca.cnf + echo 'subjectKeyIdentifier = hash' >> /etc/ssl/dovecot-ca.cnf + echo 'authorityKeyIdentifier = keyid:always' >> /etc/ssl/dovecot-ca.cnf + echo 'keyUsage = digitalSignature,keyEncipherment' >> /etc/ssl/dovecot-ca.cnf + echo 'extendedKeyUsage = clientAuth' >> /etc/ssl/dovecot-ca.cnf + if [ -f /etc/ssl/ssldb ]; then + rm /etc/ssl/ssldb + fi + if [ -f /etc/ssl/sslserial ]; then + rm /etc/ssl/sslserial + fi + touch /etc/ssl/ssldb + echo 0001 > /etc/ssl/sslserial + #${PROJECT_NAME}-clientcert -u $MY_USERNAME + systemctl restart dovecot + echo 'configure_imap_client_certs' >> $COMPLETION_FILE +} + +function create_gpg_subkey { + if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + if grep -Fxq "create_gpg_subkey" $COMPLETION_FILE; then + return + fi + apt-get -y install gnupg + + GPG_KEY_USAGE=$1 + if [[ $GPG_KEY_USAGE != "sign" && $GPG_KEY_USAGE != "auth" && $GPG_KEY_USAGE != "encrypt" ]]; then + echo $"Unknown subkey usage: $GPG_KEY_USAGE" + echo $'Available types: sign|auth|encrypt' + exit 14783 + fi + + KEYGRIP=$(gpg --fingerprint --fingerprint $MY_EMAIL_ADDRESS | grep fingerprint | tail -1 | cut -d= -f2 | sed -e 's/ //g') + + # Generate a GPG subkey + # Here a 2048bit length is used to be compatible with yubikey + echo 'Key-Type: 1' > /home/$MY_USERNAME/gpg-genkey.conf + echo "Key-Grip: $KEYGRIP" > /home/$MY_USERNAME/gpg-genkey.conf + echo 'Subkey-Type: 1' >> /home/$MY_USERNAME/gpg-genkey.conf + echo 'Subkey-Length: 2048' >> /home/$MY_USERNAME/gpg-genkey.conf + echo "subkey-Usage: $GPG_KEY_USAGE" > /home/$MY_USERNAME/gpg-genkey.conf + echo "Name-Real: $MY_NAME" >> /home/$MY_USERNAME/gpg-genkey.conf + echo "Name-Email: $MY_EMAIL_ADDRESS" >> /home/$MY_USERNAME/gpg-genkey.conf + echo "Name-Comment: $GPG_KEY_USAGE" >> /home/$MY_USERNAME/gpg-genkey.conf + echo 'Expire-Date: 0' >> /home/$MY_USERNAME/gpg-genkey.conf + chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/gpg-genkey.conf + su -c "gpg --batch --gen-key /home/$MY_USERNAME/gpg-genkey.conf" - $MY_USERNAME + shred -zu /home/$MY_USERNAME/gpg-genkey.conf + MY_GPG_SUBKEY_ID=$(su -c "gpg --list-keys $MY_EMAIL_ADDRESS | grep 'pub '" - $MY_USERNAME | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}') + + echo 'create_gpg_subkey' >> $COMPLETION_FILE +} + +function gpg_key_exists { + key_owner_username=$1 + key_search_text=$2 + if [[ $key_owner_username != "root" ]]; then + KEY_EXISTS=$(su -c "gpg --list-keys \"${key_search_text}\"" - $key_owner_username) + else + KEY_EXISTS=$(gpg --list-keys "${key_search_text}") + fi + if [ ! "$KEY_EXISTS" ]; then + echo "no" + return + fi + if [ "$KEY_EXISTS" == *"error"* ]; then + echo "no" + return + fi + echo "yes" +} + +function gpg_pubkey_from_email { + key_owner_username=$1 + key_email_address=$2 + key_id= + if [[ $key_owner_username != "root" ]]; then + key_id=$(su -c "gpg --list-keys $key_email_address | grep 'pub '" - $key_owner_username | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}') + else + key_id=$(gpg --list-keys $key_email_address | grep 'pub ' | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}') + fi + echo $key_id +} + +function configure_gpg { + if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + if grep -Fxq "configure_gpg" $COMPLETION_FILE; then + return + fi + apt-get -y install gnupg + + gpg_dir=/home/$MY_USERNAME/.gnupg + + # if gpg keys directory was previously imported from usb + if [[ $GPG_KEYS_IMPORTED == "yes" && -d $gpg_dir ]]; then + echo $'GPG keys were imported' + sed -i "s|keyserver hkp://keys.gnupg.net|keyserver $GPG_KEYSERVER|g" $gpg_dir/gpg.conf + MY_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$MY_USERNAME" "$MY_EMAIL_ADDRESS") + if [ ${#MY_GPG_PUBLIC_KEY_ID} -lt 4 ]; then + echo $'GPG public key ID could not be obtained' + fi + chown -R $MY_USERNAME:$MY_USERNAME $gpg_dir + chmod 700 $gpg_dir + chmod 600 $gpg_dir/* + echo 'configure_gpg' >> $COMPLETION_FILE + return + fi + + if [ ! -d $gpg_dir ]; then + mkdir $gpg_dir + echo "keyserver $GPG_KEYSERVER" >> $gpg_dir/gpg.conf + echo 'keyserver-options auto-key-retrieve' >> $gpg_dir/gpg.conf + fi + + sed -i "s|keyserver hkp://keys.gnupg.net|keyserver $GPG_KEYSERVER|g" $gpg_dir/gpg.conf + + if ! grep -q "# default preferences" $gpg_dir/gpg.conf; then + echo '' >> $gpg_dir/gpg.conf + echo '# default preferences' >> $gpg_dir/gpg.conf + echo 'personal-digest-preferences SHA256' >> $gpg_dir/gpg.conf + echo 'cert-digest-algo SHA256' >> $gpg_dir/gpg.conf + echo 'default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed' >> $gpg_dir/gpg.conf + fi + + chown -R $MY_USERNAME:$MY_USERNAME $gpg_dir + chmod 700 $gpg_dir + chmod 600 $gpg_dir/* + + if [[ $MY_GPG_PUBLIC_KEY && $MY_GPG_PRIVATE_KEY ]]; then + echo $'Importing GPG keys from file' + echo $"Public key: $MY_GPG_PUBLIC_KEY" + echo $"Private key: $MY_GPG_PRIVATE_KEY" + + # use your existing GPG keys which were exported + if [ ! -f $MY_GPG_PUBLIC_KEY ]; then + echo $"GPG public key file $MY_GPG_PUBLIC_KEY was not found" + exit 2483 + fi + if [ ! -f $MY_GPG_PRIVATE_KEY ]; then + echo $"GPG private key file $MY_GPG_PRIVATE_KEY was not found" + exit 5383 + fi + su -c "gpg --import $MY_GPG_PUBLIC_KEY" - $MY_USERNAME + su -c "gpg --allow-secret-key-import --import $MY_GPG_PRIVATE_KEY" - $MY_USERNAME + KEY_EXISTS=$(gpg_key_exists "$MY_USERNAME" "$MY_EMAIL_ADDRESS") + if [[ $KEY_EXISTS == "no" ]]; then + echo $"The GPG key for $MY_EMAIL_ADDRESS could not be imported" + exit 13821 + fi + + # for security ensure that the private key file doesn't linger around + shred -zu $MY_GPG_PRIVATE_KEY + MY_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$MY_USERNAME" "$MY_EMAIL_ADDRESS") + if [ ${#MY_GPG_PUBLIC_KEY_ID} -lt 4 ]; then + echo $'GPG public key ID could not be obtained' + fi + else + # Generate a GPG key + echo 'Key-Type: 1' > /home/$MY_USERNAME/gpg-genkey.conf + echo 'Key-Length: 4096' >> /home/$MY_USERNAME/gpg-genkey.conf + echo 'Subkey-Type: 1' >> /home/$MY_USERNAME/gpg-genkey.conf + echo 'Subkey-Length: 4096' >> /home/$MY_USERNAME/gpg-genkey.conf + echo "Name-Real: $MY_NAME" >> /home/$MY_USERNAME/gpg-genkey.conf + echo "Name-Email: $MY_EMAIL_ADDRESS" >> /home/$MY_USERNAME/gpg-genkey.conf + echo 'Expire-Date: 0' >> /home/$MY_USERNAME/gpg-genkey.conf + chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/gpg-genkey.conf + echo $'Generating a new GPG key' + su -c "gpg --batch --gen-key /home/$MY_USERNAME/gpg-genkey.conf" - $MY_USERNAME + KEY_EXISTS=$(gpg_key_exists "$MY_USERNAME" "$MY_EMAIL_ADDRESS") + if [[ $KEY_EXISTS == "no" ]]; then + echo $"A GPG key for $MY_EMAIL_ADDRESS could not be created" + exit 6362 + fi + shred -zu /home/$MY_USERNAME/gpg-genkey.conf + MY_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$MY_USERNAME" "$MY_EMAIL_ADDRESS") + if [ ${#MY_GPG_PUBLIC_KEY_ID} -lt 4 ]; then + echo $'GPG public key ID could not be obtained' + fi + MY_GPG_PUBLIC_KEY=/tmp/public_key.gpg + su -c "gpg --output $MY_GPG_PUBLIC_KEY --armor --export $MY_GPG_PUBLIC_KEY_ID" - $MY_USERNAME + + if grep -q "configure_email" $COMPLETION_FILE; then + if ! grep -q $"Change your GPG password" /home/$MY_USERNAME/README; then + echo '' >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + echo $'Change your GPG password' >> /home/$MY_USERNAME/README + echo '========================' >> /home/$MY_USERNAME/README + echo $"It's very important to add a password to your GPG key so that" >> /home/$MY_USERNAME/README + echo $"if anyone does get access to your email they still won't be able" >> /home/$MY_USERNAME/README + echo $'to read them without knowning the GPG password.' >> /home/$MY_USERNAME/README + echo $'You can change the it with:' >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + echo " gpg --edit-key $MY_GPG_PUBLIC_KEY_ID" >> /home/$MY_USERNAME/README + echo ' passwd' >> /home/$MY_USERNAME/README + echo ' save' >> /home/$MY_USERNAME/README + echo ' quit' >> /home/$MY_USERNAME/README + fi + if ! grep -q $"Publish your GPG public key" /home/$MY_USERNAME/README; then + echo '' >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + echo $'Publish your GPG public key' >> /home/$MY_USERNAME/README + echo '===========================' >> /home/$MY_USERNAME/README + echo $'So that others can send emails to you securely you should' >> /home/$MY_USERNAME/README + echo $'publish your GPG public key with the command:' >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + echo " gpg --send-keys $MY_GPG_PUBLIC_KEY_ID" >> /home/$MY_USERNAME/README + fi + chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README + chmod 600 /home/$MY_USERNAME/README + fi + fi + + echo 'configure_gpg' >> $COMPLETION_FILE +} + +function refresh_gpg_keys { + REFRESH_GPG_KEYS_SCRIPT=/usr/bin/update-gpg-keys + echo '#!/bin/bash' > $REFRESH_GPG_KEYS_SCRIPT + echo "if [ -f /usr/local/bin/${PROJECT_NAME}-sec ]; then" >> $REFRESH_GPG_KEYS_SCRIPT + echo " /usr/bin/timeout 600 /usr/local/bin/${PROJECT_NAME}-sec --refresh yes" >> $REFRESH_GPG_KEYS_SCRIPT + echo 'else' >> $REFRESH_GPG_KEYS_SCRIPT + echo " /usr/bin/timeout 600 /usr/bin/${PROJECT_NAME}-sec --refresh yes" >> $REFRESH_GPG_KEYS_SCRIPT + echo 'fi' >> $REFRESH_GPG_KEYS_SCRIPT + chmod +x $REFRESH_GPG_KEYS_SCRIPT + + if grep -q "${PROJECT_NAME}-sec" /etc/crontab; then + sed -i "/${PROJECT_NAME}-sec /d" /etc/crontab + fi + if ! grep -q "$REFRESH_GPG_KEYS_SCRIPT" /etc/crontab; then + GPG_REFRESH_TIME=$(( RANDOM % 60 )) + echo "$GPG_REFRESH_TIME */$REFRESH_GPG_KEYS_HOURS * * * root cronic $REFRESH_GPG_KEYS_SCRIPT" >> /etc/crontab + systemctl restart cron + else + sed -i "s|root $REFRESH_GPG_KEYS_SCRIPT.*|root cronic $REFRESH_GPG_KEYS_SCRIPT|g" /etc/crontab + fi +} + +# NOTE: deliberately no exit 0 diff --git a/src/freedombone-app-gnusocial b/src/freedombone-app-gnusocial new file mode 100755 index 00000000..85c2299e --- /dev/null +++ b/src/freedombone-app-gnusocial @@ -0,0 +1,660 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# GNU Social application +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +MICROBLOG_DOMAIN_NAME= +MICROBLOG_CODE= +MICROBLOG_ONION_PORT=8087 +MICROBLOG_REPO="https://git.gnu.io/gnu/gnu-social.git" +MICROBLOG_COMMIT='c67b89e56bf0f90730a9e22beca7e1bd41fc26c3' +MICROBLOG_ADMIN_PASSWORD= +MICROBLOG_THEME_REPO="https://git.gnu.io/h2p/Qvitter.git" +MICROBLOG_THEME_COMMIT='34510bcf37c727f91afad789fb0a531a45171ccf' +MICROBLOG_WELCOME_MESSAGE=$'

Welcome to GNU Social – a federated microblog

Another Freedombone site

' +MICROBLOG_BACKGROUND_IMAGE_URL= +MICROBLOG_MARKDOWN_REPO="https://git.gnu.io/chimo/markdown.git" +MICROBLOG_MARKDOWN_COMMIT='03c53942f94b3376f0946e6e1fe566cc21ccf232' + +# Sharings plugin for the microblog +SHARINGS_REPO="http://git.lasindias.club/bashrc/Sharings" +SHARINGS_COMMIT='d5c6c7f855d9afff9086c09ea706f38c859bc0d4' +SHARINGS_THEME_REPO="http://git.lasindias.club/manuel/SharingsTheme" +SHARINGS_THEME_COMMIT='7106c7ef03' + +function install_gnu_social { + if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + if [ ! $MICROBLOG_DOMAIN_NAME ]; then + echo $'No domain name was given for the microblog' + exit 7359 + fi + + # update to the next commit + function_check set_repo_commit + set_repo_commit /var/www/$MICROBLOG_DOMAIN_NAME/htdocs "GNU Social commit" "$MICROBLOG_COMMIT" $MICROBLOG_REPO + + # add a script to check that the daemon is running + echo '#!/bin/bash' > /etc/cron.hourly/gnusocial-daemons + echo 'daemon_lines=$(ps aux | grep "scripts/queuedaemon.php" | grep "/var/www")' >> /etc/cron.hourly/gnusocial-daemons + echo 'if [[ $daemon_lines != *"/var/www/"* ]]; then' >> /etc/cron.hourly/gnusocial-daemons + + echo " ADMIN_USER=\$(cat $COMPLETION_FILE | grep 'Admin user' | awk -F ':' '{print \$2}')" >> /etc/cron.hourly/gnusocial-daemons + echo ' MY_EMAIL_ADDRESS=$ADMIN_USER@$HOSTNAME' >> /etc/cron.hourly/gnusocial-daemons + echo ' echo "Restarting GNU Social daemons" | mail -s "GNU Social daemons not found" $MY_EMAIL_ADDRESS' >> /etc/cron.hourly/gnusocial-daemons + echo " cd /var/www/${MICROBLOG_DOMAIN_NAME}/htdocs" >> /etc/cron.hourly/gnusocial-daemons + echo ' scripts/startdaemons.sh' >> /etc/cron.hourly/gnusocial-daemons + echo 'fi' >> /etc/cron.hourly/gnusocial-daemons + chmod +x /etc/cron.hourly/gnusocial-daemons + + if grep -Fxq "install_gnu_social" $COMPLETION_FILE; then + return + fi + + function_check install_mariadb + install_mariadb + + function_check get_mariadb_password + get_mariadb_password + + function_check repair_databases_script + repair_databases_script + + apt-get -y install php-gettext php5-curl php5-gd php5-mysql git curl php-xml-parser + apt-get -y install php5-memcached + + if [ ! -d /var/www/$MICROBLOG_DOMAIN_NAME ]; then + mkdir /var/www/$MICROBLOG_DOMAIN_NAME + fi + if [ ! -d /var/www/$MICROBLOG_DOMAIN_NAME/htdocs ]; then + function_check git_clone + git_clone $MICROBLOG_REPO /var/www/$MICROBLOG_DOMAIN_NAME/htdocs + if [ ! -d /var/www/$MICROBLOG_DOMAIN_NAME/htdocs ]; then + echo $'Unable to clone gnusocial repo' + exit 87525 + fi + fi + + cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs + git checkout $MICROBLOG_COMMIT -b $MICROBLOG_COMMIT + if ! grep -q "GNU Social commit" $COMPLETION_FILE; then + echo "GNU Social commit:$MICROBLOG_COMMIT" >> $COMPLETION_FILE + else + sed -i "s/GNU Social commit.*/GNU Social commit:$MICROBLOG_COMMIT/g" $COMPLETION_FILE + fi + + chmod a+w /var/www/$MICROBLOG_DOMAIN_NAME/htdocs + chown www-data:www-data /var/www/$MICROBLOG_DOMAIN_NAME/htdocs + chmod +x /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/scripts/maildaemon.php + + function_check get_mariadb_gnusocial_admin_password + get_mariadb_gnusocial_admin_password + if [ ! $MICROBLOG_ADMIN_PASSWORD ]; then + if [ -f $IMAGE_PASSWORD_FILE ]; then + MICROBLOG_ADMIN_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)" + else + MICROBLOG_ADMIN_PASSWORD="$(create_password ${MINIMUM_PASSWORD_LENGTH})" + fi + fi + + function_check create_database + create_database gnusocial "$MICROBLOG_ADMIN_PASSWORD" $MY_USERNAME + + if [ ! -f "/etc/aliases" ]; then + touch /etc/aliases + fi + if ! grep -q "www-data: root" /etc/aliases; then + echo 'www-data: root' >> /etc/aliases + fi + if ! grep -q "/var/www/$MICROBLOG_DOMAIN_NAME/htdocs/scripts/maildaemon.php" /etc/aliases; then + echo "*: /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/scripts/maildaemon.php" >> /etc/aliases + fi + + function_check add_ddns_domain + add_ddns_domain $MICROBLOG_DOMAIN_NAME + + microblog_nginx_site=/etc/nginx/sites-available/$MICROBLOG_DOMAIN_NAME + if [[ $ONION_ONLY == "no" ]]; then + function_check nginx_http_redirect + nginx_http_redirect $MICROBLOG_DOMAIN_NAME + echo 'server {' >> $microblog_nginx_site + echo ' listen 443 ssl;' >> $microblog_nginx_site + echo " server_name $MICROBLOG_DOMAIN_NAME;" >> $microblog_nginx_site + echo '' >> $microblog_nginx_site + echo ' # Security' >> $microblog_nginx_site + function_check nginx_ssl + nginx_ssl $MICROBLOG_DOMAIN_NAME + + function_check nginx_disable_sniffing + nginx_disable_sniffing $MICROBLOG_DOMAIN_NAME + + function_check nginx_limits + nginx_limits $MICROBLOG_DOMAIN_NAME '15m' + echo ' add_header Strict-Transport-Security max-age=15768000;' >> $microblog_nginx_site + echo '' >> $microblog_nginx_site + echo ' # Logs' >> $microblog_nginx_site + echo ' access_log off;' >> $microblog_nginx_site + echo ' error_log off;' >> $microblog_nginx_site + echo '' >> $microblog_nginx_site + echo ' # Root' >> $microblog_nginx_site + echo " root /var/www/$MICROBLOG_DOMAIN_NAME/htdocs;" >> $microblog_nginx_site + echo '' >> $microblog_nginx_site + echo ' # Index' >> $microblog_nginx_site + echo ' index index.php;' >> $microblog_nginx_site + echo '' >> $microblog_nginx_site + echo ' # PHP' >> $microblog_nginx_site + echo ' location ~ \.php {' >> $microblog_nginx_site + echo ' include snippets/fastcgi-php.conf;' >> $microblog_nginx_site + echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> $microblog_nginx_site + echo ' }' >> $microblog_nginx_site + echo '' >> $microblog_nginx_site + echo ' # Location' >> $microblog_nginx_site + echo ' location / {' >> $microblog_nginx_site + echo ' try_files $uri $uri/ @gnusocial;' >> $microblog_nginx_site + echo ' }' >> $microblog_nginx_site + echo '' >> $microblog_nginx_site + echo ' # Fancy URLs' >> $microblog_nginx_site + echo ' location @gnusocial {' >> $microblog_nginx_site + echo ' rewrite ^(.*)$ /index.php?p=$1 last;' >> $microblog_nginx_site + echo ' }' >> $microblog_nginx_site + echo '' >> $microblog_nginx_site + echo ' # Restrict access that is unnecessary anyway' >> $microblog_nginx_site + echo ' location ~ /\.(ht|git) {' >> $microblog_nginx_site + echo ' deny all;' >> $microblog_nginx_site + echo ' }' >> $microblog_nginx_site + echo '}' >> $microblog_nginx_site + else + echo -n '' > $microblog_nginx_site + fi + echo 'server {' >> $microblog_nginx_site + echo " listen 127.0.0.1:$MICROBLOG_ONION_PORT default_server;" >> $microblog_nginx_site + echo " server_name $MICROBLOG_DOMAIN_NAME;" >> $microblog_nginx_site + echo '' >> $microblog_nginx_site + function_check nginx_disable_sniffing + nginx_disable_sniffing $MICROBLOG_DOMAIN_NAME + function_check nginx_limits + nginx_limits $MICROBLOG_DOMAIN_NAME '15m' + echo '' >> $microblog_nginx_site + echo ' # Logs' >> $microblog_nginx_site + echo ' access_log off;' >> $microblog_nginx_site + echo ' error_log off;' >> $microblog_nginx_site + echo '' >> $microblog_nginx_site + echo ' # Root' >> $microblog_nginx_site + echo " root /var/www/$MICROBLOG_DOMAIN_NAME/htdocs;" >> $microblog_nginx_site + echo '' >> $microblog_nginx_site + echo ' # Index' >> $microblog_nginx_site + echo ' index index.php;' >> $microblog_nginx_site + echo '' >> $microblog_nginx_site + echo ' # PHP' >> $microblog_nginx_site + echo ' location ~ \.php {' >> $microblog_nginx_site + echo ' include snippets/fastcgi-php.conf;' >> $microblog_nginx_site + echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> $microblog_nginx_site + echo ' }' >> $microblog_nginx_site + echo '' >> $microblog_nginx_site + echo ' # Location' >> $microblog_nginx_site + echo ' location / {' >> $microblog_nginx_site + echo ' try_files $uri $uri/ @gnusocial;' >> $microblog_nginx_site + echo ' }' >> $microblog_nginx_site + echo '' >> $microblog_nginx_site + echo ' # Fancy URLs' >> $microblog_nginx_site + echo ' location @gnusocial {' >> $microblog_nginx_site + echo ' rewrite ^(.*)$ /index.php?p=$1 last;' >> $microblog_nginx_site + echo ' }' >> $microblog_nginx_site + echo '' >> $microblog_nginx_site + echo ' # Restrict access that is unnecessary anyway' >> $microblog_nginx_site + echo ' location ~ /\.(ht|git) {' >> $microblog_nginx_site + echo ' deny all;' >> $microblog_nginx_site + echo ' }' >> $microblog_nginx_site + echo '}' >> $microblog_nginx_site + + function_check configure_php + configure_php + + function_check create_site_certificate + create_site_certificate $MICROBLOG_DOMAIN_NAME 'yes' + + # Ensure that the database gets backed up locally, if remote + # backups are not being used + function_check backup_databases_script_header + backup_databases_script_header + + function_check backup_database_local + backup_database_local gnusocial + + function_check nginx_ensite + nginx_ensite $MICROBLOG_DOMAIN_NAME + + # NOTE: For the typical case always enable SSL and only + # disable it if in onion only mode. This is due to complexities + # with the way URLs are generated by GNU Social + gnu_social_ssl='always' + if [[ $ONION_ONLY != 'no' ]]; then + gnu_social_ssl='never' + fi + + MICROBLOG_ONION_HOSTNAME=$(add_onion_service microblog 80 ${MICROBLOG_ONION_PORT}) + + MICROBLOG_SERVER=${MICROBLOG_DOMAIN_NAME} + if [[ $ONION_ONLY != 'no' ]]; then + MICROBLOG_SERVER=${MICROBLOG_ONION_HOSTNAME} + fi + + # Create the configuration + gnu_social_installer=/var/www/${MICROBLOG_DOMAIN_NAME}/htdocs/scripts/install_cli.php + if [ ! -f $gnu_social_installer ]; then + echo $'No GNU Social commandline installer found' + exit 53026 + fi + ${gnu_social_installer} --server "${MICROBLOG_SERVER}" \ + --host="localhost" --database="gnusocial" \ + --dbtype=mysql --username="root" -v \ + --password="$MARIADB_PASSWORD" \ + --sitename=$"GNU Social" --fancy='yes' \ + --admin-nick="$MY_USERNAME" \ + --admin-pass="$MICROBLOG_ADMIN_PASSWORD" \ + --site-profile="community" \ + --ssl=${gnu_social_ssl} + # There can be a lot of warnings here so the return value check is disabled + #if [ ! "$?" = "0" ]; then + # # failed to install + # echo $'Could not install GNU Social' + # exit 72357 + #fi + + # check microblog has a config file + microblog_config_file=/var/www/$MICROBLOG_DOMAIN_NAME/htdocs/config.php + if [ ! -f $microblog_config_file ]; then + echo $'Microblog config.php not found' + exit 87586 + fi + + # Some useful settings + if ! grep -q "Recommended GNU social settings" $microblog_config_file; then + echo "" >> $microblog_config_file + echo "// Recommended GNU social settings" >> $microblog_config_file + echo "\$config['thumbnail']['maxsize'] = 3000;" >> $microblog_config_file + echo "\$config['profile']['delete'] = true;" >> $microblog_config_file + echo "\$config['profile']['changenick'] = true;" >> $microblog_config_file + echo "\$config['public']['localonly'] = false;" >> $microblog_config_file + echo "addPlugin('StoreRemoteMedia');" >> $microblog_config_file + echo "\$config['queue']['enabled'] = true;" >> $microblog_config_file + echo "\$config['queue']['daemon'] = true;" >> $microblog_config_file + fi + + # This improves performance + sed -i "s|//\$config\['db'\]\['schemacheck'\].*|\$config\['db'\]\['schemacheck'\] = 'script';|g" $microblog_config_file + + systemctl restart php5-fpm + systemctl restart nginx + + freedombone-addemail -u $MY_USERNAME -e "noreply@$MICROBLOG_DOMAIN_NAME" -g gnusocial --public no + + # some post-install instructions for the user + if ! grep -q $"Microblog administrator" /home/$MY_USERNAME/README; then + echo '' >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + echo $'Microblog' >> /home/$MY_USERNAME/README + echo '=========' >> /home/$MY_USERNAME/README + echo $"Microblog administrator nickname: $MY_USERNAME" >> /home/$MY_USERNAME/README + echo $"Microblog administrator password: $MICROBLOG_ADMIN_PASSWORD" >> /home/$MY_USERNAME/README + chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README + chmod 600 /home/$MY_USERNAME/README + fi + + if ! grep -q "Microblog onion domain" /home/$MY_USERNAME/README; then + echo $"Microblog onion domain: ${MICROBLOG_ONION_HOSTNAME}" >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README + chmod 600 /home/$MY_USERNAME/README + fi + echo "GNU Social onion domain:${MICROBLOG_ONION_HOSTNAME}" >> $COMPLETION_FILE + + echo "GNU Social domain:$MICROBLOG_DOMAIN_NAME" >> $COMPLETION_FILE + echo 'install_gnu_social' >> $COMPLETION_FILE +} + +function install_gnu_social_plugin_sharings { + if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + + if [ ! -d /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins ]; then + echo $'No local/plugins directory found for the microblog' + exit 72945 + fi + + # update to the next commit + function_check set_repo_commit + set_repo_commit /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins "GNU Social sharings plugin commit" "$SHARINGS_COMMIT" $SHARINGS_REPO + + if grep -Fxq "install_gnu_social_plugin_sharings" $COMPLETION_FILE; then + return + fi + + cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins + function_check git_clone + git_clone $SHARINGS_REPO Sharings + if [ ! -d /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Sharings ]; then + echo $'Unable to clone microblog sharings plugin' + exit 36738 + fi + + cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Sharings + git stash + git checkout master + git branch -D $SHARINGS_COMMIT + git checkout $SHARINGS_COMMIT -b $SHARINGS_COMMIT + + # enable the plugin + if ! grep -q "addPlugin('Sharings');" /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/config.php; then + echo "addPlugin('Sharings');" >> /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/config.php + fi + + cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs + php scripts/checkschema.php + cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Sharings + php scripts/seedsharings.php + cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs + php scripts/checkschema.php + + # Languages + cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Sharings/locale/en/LC_MESSAGES + msgfmt -o Sharings.mo Sharings.po + cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Sharings/locale/en_GB/LC_MESSAGES + msgfmt -o Sharings.mo Sharings.po + cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Sharings/locale/en_US/LC_MESSAGES + msgfmt -o Sharings.mo Sharings.po + + chown -R www-data:www-data /var/www/$MICROBLOG_DOMAIN_NAME/htdocs + + if ! grep -q "GNU Social sharings plugin commit" $COMPLETION_FILE; then + echo "GNU Social sharings plugin commit:$SHARINGS_COMMIT" >> $COMPLETION_FILE + else + sed -i "s|GNU Social sharings plugin commit.*|GNU Social sharings plugin commit:$SHARINGS_COMMIT|g" $COMPLETION_FILE + fi + echo 'install_gnu_social_plugin_sharings' >> $COMPLETION_FILE +} + +function install_gnu_social_plugin_sharings_theme { + if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + + if [ ! -d /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins ]; then + echo $'No local/plugins directory found for the microblog' + exit 74458 + fi + + # update to the next commit + function_check set_repo_commit + set_repo_commit /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins "GNU Social sharings theme plugin commit" "$SHARINGS_THEME_COMMIT" $SHARINGS_THEME_REPO + + if grep -Fxq "install_gnu_social_plugin_sharings_theme" $COMPLETION_FILE; then + return + fi + + cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins + function_check git_clone + git_clone $SHARINGS_THEME_REPO SharingsTheme + if [ ! -d /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/SharingsTheme ]; then + echo $'Unable to clone microblog sharings plugin theme' + exit 639253 + fi + + cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/SharingsTheme + git stash + git checkout master + git branch -D $SHARINGS_THEME_COMMIT + git checkout $SHARINGS_THEME_COMMIT -b $SHARINGS_THEME_COMMIT + + # enable the plugin + if ! grep -q "addPlugin('SharingsTheme');" /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/config.php; then + echo "addPlugin('SharingsTheme');" >> /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/config.php + fi + + cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs + php scripts/checkschema.php + + chown -R www-data:www-data /var/www/$MICROBLOG_DOMAIN_NAME/htdocs + + if ! grep -q "GNU Social sharings plugin theme commit" $COMPLETION_FILE; then + echo "GNU Social sharings plugin theme commit:$SHARINGS_THEME_COMMIT" >> $COMPLETION_FILE + else + sed -i "s|GNU Social sharings plugin theme commit.*|GNU Social sharings plugin theme commit:$SHARINGS_THEME_COMMIT|g" $COMPLETION_FILE + fi + echo 'install_gnu_social_plugin_sharings_theme' >> $COMPLETION_FILE +} + +function expire_gnu_social_posts { + # To prevent the database size from growing endlessly this script expires posts + # after a number of months + if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + if [ ! -d /var/www/$MICROBLOG_DOMAIN_NAME/htdocs ]; then + return + fi + + gnusocial_expire_script=/usr/bin/gnusocial-expire + + echo ' $gnusocial_expire_script + echo '' >> $gnusocial_expire_script + echo '// GNU Social post expiry script, based on StatExpire by Tony Baldwin' >> $gnusocial_expire_script + echo '// https://github.com/tonybaldwin/statexpire' >> $gnusocial_expire_script + echo '' >> $gnusocial_expire_script + echo '$oldate=date(("Y-m-d"), strtotime("-3 months"));' >> $gnusocial_expire_script + echo '$username="root";' >> $gnusocial_expire_script + echo "\$password=trim(file_get_contents(\"$DATABASE_PASSWORD_FILE\"));" >> $gnusocial_expire_script + echo '$database="gnusocial";' >> $gnusocial_expire_script + echo '' >> $gnusocial_expire_script + echo 'if (!$link = mysql_connect("localhost", $username, $password)) {' >> $gnusocial_expire_script + echo ' echo "Could not connect to mariadb";' >> $gnusocial_expire_script + echo ' exit;' >> $gnusocial_expire_script + echo '}' >> $gnusocial_expire_script + echo '' >> $gnusocial_expire_script + echo 'if (!mysql_select_db($database, $link)) {' >> $gnusocial_expire_script + echo ' echo "Could not select gnusocial database";' >> $gnusocial_expire_script + echo ' exit;' >> $gnusocial_expire_script + echo '}' >> $gnusocial_expire_script + echo '' >> $gnusocial_expire_script + echo "\$notice_query=\"DELETE FROM notice WHERE created <= '\$oldate 01:01:01'\";" >> $gnusocial_expire_script + echo "\$conversation_query=\"DELETE FROM conversation WHERE created <= '$oldate 01:01:01'\";" >> $gnusocial_expire_script + echo "\$reply_query=\"DELETE FROM reply WHERE modified <= '\$oldate 01:01:01'\";" >> $gnusocial_expire_script + echo '' >> $gnusocial_expire_script + echo 'mysql_query($notice_query);' >> $gnusocial_expire_script + echo '$rowaff1=mysql_affected_rows();' >> $gnusocial_expire_script + echo 'mysql_query($conversation_query);' >> $gnusocial_expire_script + echo '$rowaff2=mysql_affected_rows();' >> $gnusocial_expire_script + echo 'mysql_query($reply_query);' >> $gnusocial_expire_script + echo '$rowaff3=mysql_affected_rows();' >> $gnusocial_expire_script + echo 'mysql_close();' >> $gnusocial_expire_script + echo '' >> $gnusocial_expire_script + echo 'echo "Expire GNU Social posts: $rowaff1 notices, $rowaff2 conversations, and $rowaff3 replies deleted from database.\n";' >> $gnusocial_expire_script + chmod +x $gnusocial_expire_script + + # Add a cron job + if ! grep -q "$gnusocial_expire_script" /etc/crontab; then + echo "10 3 5 * * root /usr/bin/timeout 500 /usr/bin/php $gnusocial_expire_script" >> /etc/crontab + fi + + # remove old expire script + if [ -f /etc/cron.weekly/clear-microblog-database ]; then + rm /etc/cron.weekly/clear-microblog-database + fi +} + +function install_gnu_social_theme { + if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + + # update to the next commit + function_check set_repo_commit + set_repo_commit /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Qvitter "GNU Social theme commit" "$MICROBLOG_THEME_COMMIT" $MICROBLOG_THEME_REPO + + # customise with project logo + if [ -f /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Qvitter/img/sprite.png ]; then + if [ -f ~/freedombone/img/gnusocial_sprite.png ]; then + cp ~/freedombone/img/gnusocial_sprite.png /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Qvitter/img/sprite.png + fi + fi + + if grep -Fxq "install_gnu_social_theme" $COMPLETION_FILE; then + return + fi + + apt-get -y install wget + + if [ ! -d /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins ]; then + mkdir -p /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins + fi + + cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins + function_check git_clone + git_clone $MICROBLOG_THEME_REPO Qvitter + cd /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Qvitter + git checkout $MICROBLOG_THEME_COMMIT -b $MICROBLOG_THEME_COMMIT + + # download a custom background image + MICROBLOG_BACKGROUND_IMAGE_URL_EXT= + if [ $MICROBLOG_BACKGROUND_IMAGE_URL ]; then + if [[ $$MICROBLOG_BACKGROUND_IMAGE_URL == *".jpeg" || $$MICROBLOG_BACKGROUND_IMAGE_URL == *".jpg" ]]; then + MICROBLOG_BACKGROUND_IMAGE_URL_EXT="jpg" + fi + if [[ $$MICROBLOG_BACKGROUND_IMAGE_URL == *".png" ]]; then + MICROBLOG_BACKGROUND_IMAGE_URL_EXT="png" + fi + if [[ $$MICROBLOG_BACKGROUND_IMAGE_URL == *".gif" ]]; then + MICROBLOG_BACKGROUND_IMAGE_URL_EXT="gif" + fi + if [ $MICROBLOG_BACKGROUND_IMAGE_URL_EXT ]; then + wget $MICROBLOG_BACKGROUND_IMAGE_URL -O img/custom.${MICROBLOG_BACKGROUND_IMAGE_URL_EXT} + if [ ! -f img/custom.${MICROBLOG_BACKGROUND_IMAGE_URL_EXT} ]; then + echo "$MICROBLOG_BACKGROUND_IMAGE_URL" + echo $'Custom background image for microblog could not be downloaded' + exit 87524 + fi + fi + fi + + microblog_config_file=/var/www/$MICROBLOG_DOMAIN_NAME/htdocs/config.php + if ! grep -q "addPlugin('Qvitter')" $microblog_config_file; then + MICROBLOG_WELCOME_MESSAGE=$(echo $MICROBLOG_WELCOME_MESSAGE | sed "s|\$MICROBLOG_DOMAIN_NAME|$MICROBLOG_DOMAIN_NAME|g") + echo "" >> $microblog_config_file + echo "// Qvitter settings" >> $microblog_config_file + echo "addPlugin('Qvitter');" >> $microblog_config_file + echo "\$config['site']['qvitter']['enabledbydefault'] = true;" >> $microblog_config_file + echo "\$config['site']['qvitter']['defaultbackgroundcolor'] = '#f4f4f4';" >> $microblog_config_file + echo "\$config['site']['qvitter']['defaultlinkcolor'] = '#0084B4';" >> $microblog_config_file + echo "\$config['site']['qvitter']['timebetweenpolling'] = 30000; // 30 secs" >> $microblog_config_file + echo "\$config['site']['qvitter']['urlshortenerapiurl'] = 'http://qttr.at/shortener.php';" >> $microblog_config_file + echo "\$config['site']['qvitter']['urlshortenersignature'] = 'b6afeec983';" >> $microblog_config_file + if [ $MICROBLOG_BACKGROUND_IMAGE_URL ]; then + echo "\$config['site']['qvitter']['sitebackground'] = 'img/custom.${MICROBLOG_BACKGROUND_IMAGE_URL_EXT}';" >> $microblog_config_file + else + echo "\$config['site']['qvitter']['sitebackground'] = 'img/vagnsmossen.jpg';" >> $microblog_config_file + fi + echo "\$config['site']['qvitter']['favicon'] = 'img/favicon.ico?v=4';" >> $microblog_config_file + echo "\$config['site']['qvitter']['sprite'] = Plugin::staticPath('Qvitter', '').'img/sprite.png?v=40';" >> $microblog_config_file + echo "\$config['site']['qvitter']['enablewelcometext'] = true;" >> $microblog_config_file + echo "\$config['site']['qvitter']['customwelcometext']['en'] = '$MICROBLOG_WELCOME_MESSAGE';" >> $microblog_config_file + echo "\$config['site']['qvitter']['customwelcometext']['de'] = '$MICROBLOG_WELCOME_MESSAGE';" >> $microblog_config_file + echo "\$config['site']['qvitter']['customwelcometext']['fr'] = '$MICROBLOG_WELCOME_MESSAGE';" >> $microblog_config_file + echo "\$config['site']['qvitter']['customwelcometext']['es'] = '$MICROBLOG_WELCOME_MESSAGE';" >> $microblog_config_file + echo "\$config['site']['qvitter']['blocked_ips'] = array();" >> $microblog_config_file + else + if [ $MICROBLOG_BACKGROUND_IMAGE_URL_EXT ]; then + if [ -f img/custom.${MICROBLOG_BACKGROUND_IMAGE_URL_EXT} ]; then + sed -i "s|\$config['site']['qvitter']['sitebackground'].*|\$config['site']['qvitter']['sitebackground'] = 'img/custom.${MICROBLOG_BACKGROUND_IMAGE_URL_EXT}';|g" $microblog_config_file + fi + fi + fi + + # customise with project logo + if [ -f /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Qvitter/img/sprite.png ]; then + if [ -f ~/freedombone/img/gnusocial_sprite.png ]; then + cp ~/freedombone/img/gnusocial_sprite.png /var/www/$MICROBLOG_DOMAIN_NAME/htdocs/local/plugins/Qvitter/img/sprite.png + fi + fi + + if ! grep -q "GNU Social theme commit" $COMPLETION_FILE; then + echo "GNU Social theme commit:$MICROBLOG_THEME_COMMIT" >> $COMPLETION_FILE + fi + + chown -R www-data:www-data /var/www/$MICROBLOG_DOMAIN_NAME/htdocs + + echo 'install_gnu_social_theme' >> $COMPLETION_FILE +} + +function install_gnu_social_markdown { + if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + + MICROBLOG_PATH=/var/www/$MICROBLOG_DOMAIN_NAME/htdocs + + # update to the next commit + function_check set_repo_commit + set_repo_commit $MICROBLOG_PATH/local/plugins/Markdown "GNU Social Markdown commit" "$MICROBLOG_MARKDOWN_COMMIT" $MICROBLOG_MARKDOWN_REPO + + if grep -Fxq "install_gnu_social_markdown" $COMPLETION_FILE; then + return + fi + + if [ -d $MICROBLOG_PATH/local/plugins/Markdown ]; then + rm -rf $MICROBLOG_PATH/local/plugins/Markdown + fi + + if [ ! -d $MICROBLOG_PATH/local/plugins ]; then + mkdir -p $MICROBLOG_PATH/local/plugins + fi + + cd $MICROBLOG_PATH/local/plugins + function_check git_clone + git_clone $MICROBLOG_MARKDOWN_REPO Markdown + cd $MICROBLOG_PATH/local/plugins/Markdown + git checkout $MICROBLOG_MARKDOWN_COMMIT -b $MICROBLOG_MARKDOWN_COMMIT + + microblog_config_file=$MICROBLOG_PATH/config.php + if ! grep -q "addPlugin('Markdown'" $microblog_config_file; then + echo "" >> $microblog_config_file + echo "// Markdown settings" >> $microblog_config_file + echo "addPlugin('Markdown');" >> $microblog_config_file + fi + + if ! grep -q "GNU Social Markdown commit" $COMPLETION_FILE; then + echo "GNU Social Markdown commit:$MICROBLOG_MARKDOWN_COMMIT" >> $COMPLETION_FILE + fi + + chown -R www-data:www-data $MICROBLOG_PATH + + echo 'install_gnu_social_markdown' >> $COMPLETION_FILE +} + +# NOTE: deliberately there is no "exit 0" diff --git a/src/freedombone-app-gogs b/src/freedombone-app-gogs new file mode 100755 index 00000000..bbf0f452 --- /dev/null +++ b/src/freedombone-app-gogs @@ -0,0 +1,410 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# Gogs functions +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +GIT_DOMAIN_NAME= +GIT_CODE= +GIT_ONION_PORT=8090 +GIT_DOMAIN_REPO="https://github.com/gogits/gogs" +GIT_ADMIN_PASSWORD= +GOGS_COMMIT='3fb4f7f4980b4339fd9ef6a3ba5b0acab83d264d' + +function install_gogs { + if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + if [ ! $GIT_DOMAIN_NAME ]; then + return + fi + + function_check select_go_version + select_go_version + + # update to the next commit + function_check + set_repo_commit $GOPATH/src/github.com/gogits/gogs "Gogs commit" "$GOGS_COMMIT" $GIT_DOMAIN_REPO + + if grep -Fxq "install_gogs" $COMPLETION_FILE; then + return + fi + + if [ -d $GOPATH/src/github.com/gogits ]; then + rm -rf $GOPATH/src/github.com/gogits + fi + + if [ -d /home/git/gvm/pkgsets/go${GO_VERSION}/global/src/github.com/gogits ]; then + rm -rf /home/git/gvm/pkgsets/go${GO_VERSION}/global/src/github.com/gogits + fi + + if [ -d /home/git/gogs-repositories ]; then + rm -rf /home/git/gogs-repositories + fi + + if [ ! -d /home/git ]; then + # add a gogs user account + adduser --disabled-login --gecos 'Gogs' git + fi + if [ -d /home/git/Maildir ]; then + rm -rf /home/git/Maildir + fi + + if [ -d $GOPATH/src/github.com/gogits ]; then + rm -rf $GOPATH/src/github.com/gogits + fi + + # install Go + apt-get -y install golang libpam0g-dev + if ! grep -q "export GOPATH=" ~/.bashrc; then + echo "export GOPATH=$GOPATH" >> ~/.bashrc + else + sed -i "s|export GOPATH=.*|export GOPATH=$GOPATH|g" ~/.bashrc + fi + systemctl set-environment GOPATH=$GOPATH + if ! grep -q "systemctl set-environment GOPATH=" ~/.bashrc; then + echo "systemctl set-environment GOPATH=$GOPATH" >> ~/.bashrc + else + sed -i "s|systemctl set-environment GOPATH=.*|systemctl set-environment GOPATH=$GOPATH|g" ~/.bashrc + fi + if [ ! -d $GOPATH ]; then + mkdir -p $GOPATH + fi + GO_PACKAGE_MANAGER_REPO2=$(echo "$GO_PACKAGE_MANAGER_REPO" | sed 's|https://||g') + go get -u $GO_PACKAGE_MANAGER_REPO2 + if [ ! "$?" = "0" ]; then + echo $'install_gogs: go get failed' + exit 479832 + fi + + # clone the repo + if [ ! -d $GOPATH/src/github.com/gogits ]; then + mkdir -p $GOPATH/src/github.com/gogits + fi + function_check git_clone + git_clone $GIT_DOMAIN_REPO $GOPATH/src/github.com/gogits/gogs + if [ ! -d $GOPATH/src/github.com/gogits/gogs ]; then + echo $"Unable to clone repo $GOPATH/src/github.com/gogits/gogs" + exit 85482 + fi + cd $GOPATH/src/github.com/gogits/gogs + + # install + go get -u ./... + + git checkout $GOGS_COMMIT -b $GOGS_COMMIT + if ! grep -q "Gogs commit" $COMPLETION_FILE; then + echo "Gogs commit:$GOGS_COMMIT" >> $COMPLETION_FILE + else + sed -i "s/Gogs commit.*/Gogs commit:$GOGS_COMMIT/g" $COMPLETION_FILE + fi + + go build + if [ ! "$?" = "0" ]; then + echo $'install_gogs: go build failed' + exit 546750 + fi + + function_check install_mariadb + install_mariadb + + function_check get_mariadb_password + get_mariadb_password + + function_check get_mariadb_git_admin_password + get_mariadb_git_admin_password + if [ ! $GIT_ADMIN_PASSWORD ]; then + if [ -f $IMAGE_PASSWORD_FILE ]; then + GIT_ADMIN_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)" + else + GIT_ADMIN_PASSWORD="$(create_password ${MINIMUM_PASSWORD_LENGTH})" + fi + fi + + if ! grep -q $"Gogs admin user password" /home/$MY_USERNAME/README; then + echo '' >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + echo 'Gogs' >> /home/$MY_USERNAME/README + echo '====' >> /home/$MY_USERNAME/README + echo $'Install Steps For First-time Run:' >> /home/$MY_USERNAME/README + echo $'Leave email service settings empty' >> /home/$MY_USERNAME/README + echo $'Check "Enable Register Confirmation"' >> /home/$MY_USERNAME/README + echo $'Check "Enable Mail Notification"' >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + echo $'If you want to disable new account registrations then append the following:' >> /home/$MY_USERNAME/README + echo ' [service]' >> /home/$MY_USERNAME/README + echo ' DISABLE_REGISTRATION = true' >> /home/$MY_USERNAME/README + echo $'Then restart with:' >> /home/$MY_USERNAME/README + echo ' systemctl restart gogs' >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + echo $"Note that there's a usability/security trade-off made here." >> /home/$MY_USERNAME/README + echo $"In order to allow git clone via http we don't redirect everything" >> /home/$MY_USERNAME/README + echo $'over https. Instead only critical things such as user login,' >> /home/$MY_USERNAME/README + echo $'settings and admin are encrypted.' >> /home/$MY_USERNAME/README + echo $'There are also potential security issues with cloning/pulling/pushing' >> /home/$MY_USERNAME/README + echo $'code over http, since a determined adversary could inject malware' >> /home/$MY_USERNAME/README + echo $'into the stream as it passes, so beware.' >> /home/$MY_USERNAME/README + echo $'If you have a bought domain and a non-self signed cert then you' >> /home/$MY_USERNAME/README + echo $"should change /etc/nginx/sites-available/$GIT_DOMAIN_NAME to redirect everything over https." >> /home/$MY_USERNAME/README + chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README + chmod 600 /home/$MY_USERNAME/README + fi + + function_check create_database + create_database gogs "$GOGS_ADMIN_PASSWORD" + if [ ! -f $GOPATH/src/github.com/gogits/gogs/scripts/mysql.sql ]; then + echo $'MySql template for Gogs was not found' + exit 72528 + fi + function_check initialise_database + initialise_database gogs $GOPATH/src/github.com/gogits/gogs/scripts/mysql.sql + + chmod 600 $GOPATH/src/github.com/gogits/gogs/custom/conf/app.ini + + chown -R git:git /home/git + echo '[Unit]' > /etc/systemd/system/gogs.service + echo 'Description=Gogs (Go Git Service)' >> /etc/systemd/system/gogs.service + echo 'After=syslog.target' >> /etc/systemd/system/gogs.service + echo 'After=network.target' >> /etc/systemd/system/gogs.service + echo 'After=mysqld.service' >> /etc/systemd/system/gogs.service + echo '' >> /etc/systemd/system/gogs.service + echo '[Service]' >> /etc/systemd/system/gogs.service + echo '#LimitMEMLOCK=infinity' >> /etc/systemd/system/gogs.service + echo '#LimitNOFILE=65535' >> /etc/systemd/system/gogs.service + echo 'Type=simple' >> /etc/systemd/system/gogs.service + echo 'User=git' >> /etc/systemd/system/gogs.service + echo 'Group=git' >> /etc/systemd/system/gogs.service + echo "WorkingDirectory=$GOPATH/src/github.com/gogits/gogs" >> /etc/systemd/system/gogs.service + echo "ExecStart=$GOPATH/src/github.com/gogits/gogs/gogs web" >> /etc/systemd/system/gogs.service + echo 'Restart=always' >> /etc/systemd/system/gogs.service + echo 'RestartSec=10' >> /etc/systemd/system/gogs.service + echo 'TimeoutStartSec=120' >> /etc/systemd/system/gogs.service + echo "Environment=\"USER=git\" \"HOME=/home/git\" \"GOPATH=$GOPATH\" \"GVM_ROOT=$GVM_HOME\"" >> /etc/systemd/system/gogs.service + echo '' >> /etc/systemd/system/gogs.service + echo '[Install]' >> /etc/systemd/system/gogs.service + echo 'WantedBy=multi-user.target' >> /etc/systemd/system/gogs.service + + systemctl enable gogs + systemctl daemon-reload + systemctl restart gogs + + if [ ! -d /var/www/$GIT_DOMAIN_NAME ]; then + mkdir /var/www/$GIT_DOMAIN_NAME + fi + if [ -d /var/www/$GIT_DOMAIN_NAME/htdocs ]; then + rm -rf /var/www/$GIT_DOMAIN_NAME/htdocs + fi + + if [[ $ONION_ONLY == "no" ]]; then + function_check nginx_http_redirect + nginx_http_redirect $GIT_DOMAIN_NAME + echo 'server {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo ' listen 443 ssl;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo " root /var/www/$GIT_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo " server_name $GIT_DOMAIN_NAME;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo ' access_log off;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo " error_log /var/log/nginx/${GIT_DOMAIN_NAME}_error.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + function_check nginx_limits + nginx_limits $GIT_DOMAIN_NAME '10G' + function_check nginx_ssl + nginx_ssl $GIT_DOMAIN_NAME + function_check nginx_disable_sniffing + nginx_disable_sniffing $GIT_DOMAIN_NAME + echo ' add_header Strict-Transport-Security max-age=0;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo ' location / {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo ' proxy_pass http://localhost:3000;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo ' fastcgi_buffers 64 4K;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo ' error_page 403 /core/templates/403.php;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo ' error_page 404 /core/templates/404.php;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo ' location = /robots.txt {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo ' allow all;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo ' log_not_found off;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo ' access_log off;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo '}' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + else + echo -n '' > /etc/nginx/sites-available/$GIT_DOMAIN_NAME + fi + echo 'server {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo " listen 127.0.0.1:${GIT_ONION_PORT} default_server;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo " root /var/www/$GIT_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo " server_name $GIT_DOMAIN_NAME;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo ' access_log off;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo " error_log /var/log/nginx/${GIT_DOMAIN_NAME}_error.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + function_check nginx_limits + nginx_limits $GIT_DOMAIN_NAME '10G' + function_check nginx_disable_sniffing + nginx_disable_sniffing $GIT_DOMAIN_NAME + echo ' add_header Strict-Transport-Security max-age=0;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo ' location / {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo ' proxy_pass http://localhost:3000;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo ' fastcgi_buffers 64 4K;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo ' error_page 403 /core/templates/403.php;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo ' error_page 404 /core/templates/404.php;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo ' location = /robots.txt {' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo ' allow all;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo ' log_not_found off;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo ' access_log off;' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + echo '}' >> /etc/nginx/sites-available/$GIT_DOMAIN_NAME + + function_check configure_php + configure_php + + function_check create_site_certificate + create_site_certificate $GIT_DOMAIN_NAME 'yes' + + nginx_ensite $GIT_DOMAIN_NAME + + if [ ! -d /var/lib/tor ]; then + echo $'No Tor installation found. Gogs onion site cannot be configured.' + exit 877367 + fi + if ! grep -q "hidden_service_gogs" /etc/tor/torrc; then + echo 'HiddenServiceDir /var/lib/tor/hidden_service_gogs/' >> /etc/tor/torrc + echo "HiddenServicePort 80 127.0.0.1:${GIT_ONION_PORT}" >> /etc/tor/torrc + echo "HiddenServicePort 9418 127.0.0.1:9418" >> /etc/tor/torrc + echo $'Added onion site for Gogs' + fi + + systemctl restart tor + + function_check wait_for_onion_service + wait_for_onion_service 'gogs' + + GIT_ONION_HOSTNAME=$(cat /var/lib/tor/hidden_service_gogs/hostname) + + systemctl restart php5-fpm + systemctl restart nginx + + if ! grep -q "Gogs onion domain" /home/$MY_USERNAME/README; then + echo "Gogs onion domain: ${GIT_ONION_HOSTNAME}" >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README + chmod 600 /home/$MY_USERNAME/README + fi + if ! grep -q "Gogs onion domain" $COMPLETION_FILE; then + echo "Gogs onion domain:${GIT_ONION_HOSTNAME}" >> $COMPLETION_FILE + fi + + function_check add_ddns_domain + add_ddns_domain $GIT_DOMAIN_NAME + + # obtain the secret key + GOGS_SECRET_KEY= + if grep -q "Gogs secret key:" /home/$MY_USERNAME/README; then + GOGS_SECRET_KEY=$(cat /home/$MY_USERNAME/README | grep "Gogs secret key:" | awk -F ':' '{print $2}' | sed 's/^ *//') + else + GOGS_SECRET_KEY="$(create_password ${MINIMUM_PASSWORD_LENGTH})" + echo "Gogs secret key:$GOGS_SECRET_KEY" >> /home/$MY_USERNAME/README + chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README + fi + + # create the configuration + GOGS_CONFIG_PATH=/home/git/gvm/pkgsets/go${GO_VERSION}/global/src/github.com/gogits/gogs/custom/conf + if [ ! -d $GOGS_CONFIG_PATH ]; then + mkdir -p $GOGS_CONFIG_PATH + fi + GOGS_CONFIG_FILE=$GOGS_CONFIG_PATH/app.ini + echo 'RUN_USER = git' > $GOGS_CONFIG_FILE + echo 'RUN_MODE = prod' >> $GOGS_CONFIG_FILE + echo '' >> $GOGS_CONFIG_FILE + echo '[database]' >> $GOGS_CONFIG_FILE + echo 'DB_TYPE = mysql' >> $GOGS_CONFIG_FILE + echo 'HOST = 127.0.0.1:3306' >> $GOGS_CONFIG_FILE + echo 'NAME = gogs' >> $GOGS_CONFIG_FILE + echo 'USER = root' >> $GOGS_CONFIG_FILE + echo "PASSWD = $MARIADB_PASSWORD" >> $GOGS_CONFIG_FILE + echo 'SSL_MODE = disable' >> $GOGS_CONFIG_FILE + echo 'PATH = data/gogs.db' >> $GOGS_CONFIG_FILE + echo '' >> $GOGS_CONFIG_FILE + echo '[repository]' >> $GOGS_CONFIG_FILE + echo 'ROOT = /home/git/gogs-repositories' >> $GOGS_CONFIG_FILE + echo '' >> $GOGS_CONFIG_FILE + echo '[server]' >> $GOGS_CONFIG_FILE + if [[ $ONION_ONLY == 'no' ]]; then + echo "DOMAIN = ${GIT_DOMAIN_NAME}" >> $GOGS_CONFIG_FILE + else + echo "DOMAIN = ${GIT_ONION_HOSTNAME}" >> $GOGS_CONFIG_FILE + fi + echo 'HTTP_PORT = 3000' >> $GOGS_CONFIG_FILE + echo "ROOT_URL = http://$GIT_DOMAIN_NAME/" >> $GOGS_CONFIG_FILE + echo "SSH_PORT = $SSH_PORT" >> $GOGS_CONFIG_FILE + echo 'SSH_DOMAIN = %(DOMAIN)s' >> $GOGS_CONFIG_FILE + echo "CERT_FILE = /etc/ssl/certs/${GIT_DOMAIN_NAME}.crt" >> $GOGS_CONFIG_FILE + echo "KEY_FILE = /etc/ssl/private/${GIT_DOMAIN_NAME}.key" >> $GOGS_CONFIG_FILE + echo 'DISABLE_ROUTER_LOG = true' >> $GOGS_CONFIG_FILE + echo '' >> $GOGS_CONFIG_FILE + echo '[session]' >> $GOGS_CONFIG_FILE + echo 'PROVIDER = file' >> $GOGS_CONFIG_FILE + echo '' >> $GOGS_CONFIG_FILE + echo '[log]' >> $GOGS_CONFIG_FILE + echo 'MODE = file' >> $GOGS_CONFIG_FILE + echo 'LEVEL = Info' >> $GOGS_CONFIG_FILE + echo '' >> $GOGS_CONFIG_FILE + echo '[security]' >> $GOGS_CONFIG_FILE + echo 'INSTALL_LOCK = true' >> $GOGS_CONFIG_FILE + echo "SECRET_KEY = $GOGS_SECRET_KEY" >> $GOGS_CONFIG_FILE + echo '' >> $GOGS_CONFIG_FILE + echo '[service]' >> $GOGS_CONFIG_FILE + echo 'DISABLE_REGISTRATION = false' >> $GOGS_CONFIG_FILE + echo 'SHOW_REGISTRATION_BUTTON = true' >> $GOGS_CONFIG_FILE + echo 'REQUIRE_SIGNIN_VIEW = false' >> $GOGS_CONFIG_FILE + echo 'ENABLE_CAPTCHA = false' >> $GOGS_CONFIG_FILE + echo '' >> $GOGS_CONFIG_FILE + echo '[other]' >> $GOGS_CONFIG_FILE + echo 'SHOW_FOOTER_BRANDING = false' >> $GOGS_CONFIG_FILE + echo 'SHOW_FOOTER_VERSION = false' >> $GOGS_CONFIG_FILE + + chmod 750 $GOGS_CONFIG_FILE + chown -R git:git /home/git + + systemctl restart gogs + + if ! grep -q "Gogs domain:" $COMPLETION_FILE; then + echo "Gogs domain:$GIT_DOMAIN_NAME" >> $COMPLETION_FILE + fi + + function_check configure_firewall_for_git + configure_firewall_for_git + echo 'install_gogs' >> $COMPLETION_FILE +} + +# NOTE: deliberately no exit 0 diff --git a/src/freedombone-app-hubzilla b/src/freedombone-app-hubzilla new file mode 100755 index 00000000..47a146ee --- /dev/null +++ b/src/freedombone-app-hubzilla @@ -0,0 +1,388 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# Hubzilla application +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +HUBZILLA_DOMAIN_NAME= +HUBZILLA_CODE= +HUBZILLA_ONION_PORT=8085 +HUBZILLA_REPO="https://github.com/redmatrix/hubzilla.git" +HUBZILLA_THEMES_REPO="https://github.com/DeadSuperHero/redmatrix-themes" +HUBZILLA_ADDONS_REPO="https://github.com/redmatrix/hubzilla-addons.git" +HUBZILLA_ADMIN_PASSWORD= +HUBZILLA_COMMIT='2d79e75788aa71664a379c4cea0b6bfe3ab87ad0' +HUBZILLA_ADDONS_COMMIT='67b40c7a40f328a93ee030eb15e9e1261f3cba64' + +function install_hubzilla { + if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + if [ ! $HUBZILLA_DOMAIN_NAME ]; then + return + fi + + HUBZILLA_PATH=/var/www/$HUBZILLA_DOMAIN_NAME/htdocs + + # update to a new commit if needed + function_check set_repo_commit + set_repo_commit $HUBZILLA_PATH "Hubzilla commit" "$HUBZILLA_COMMIT" $HUBZILLA_REPO + set_repo_commit $HUBZILLA_PATH/addon "Hubzilla addons commit" "$HUBZILLA_ADDONS_COMMIT" $HUBZILLA_ADDONS_REPO + if [ -d $HUBZILLA_PATH/redmatrix-themes1 ]; then + cd $HUBZILLA_PATH/redmatrix-themes1 + git stash + git pull + cp -r $HUBZILLA_PATH/redmatrix-themes1/* $HUBZILLA_PATH/view/theme/ + chown -R www-data:www-data $HUBZILLA_PATH + fi + + if grep -Fxq "install_hubzilla" $COMPLETION_FILE; then + return + fi + + function_check install_mariadb + install_mariadb + + function_check get_mariadb_password + get_mariadb_password + + function_check repair_databases_script + repair_databases_script + + apt-get -y install php5-common php5-cli php5-curl php5-gd php5-mysql php5-mcrypt git + apt-get -y install php5-dev imagemagick php5-imagick + apt-get -y install php5-memcached + + if [ ! -d /var/www/$HUBZILLA_DOMAIN_NAME ]; then + mkdir /var/www/$HUBZILLA_DOMAIN_NAME + fi + if [ ! -d $HUBZILLA_PATH ]; then + mkdir $HUBZILLA_PATH + fi + + if [ ! -f $HUBZILLA_PATH/index.php ]; then + cd $INSTALL_DIR + function_check git_clone + git_clone $HUBZILLA_REPO hubzilla + git checkout $HUBZILLA_COMMIT -b $HUBZILLA_COMMIT + if ! grep -q "Hubzilla commit" $COMPLETION_FILE; then + echo "Hubzilla commit:$HUBZILLA_COMMIT" >> $COMPLETION_FILE + else + sed -i "s/Hubzilla commit.*/Hubzilla commit:$HUBZILLA_COMMIT/g" $COMPLETION_FILE + fi + + rm -rf $HUBZILLA_PATH + mv hubzilla $HUBZILLA_PATH + + git_clone $HUBZILLA_ADDONS_REPO $HUBZILLA_PATH/addon + cd $HUBZILLA_PATH/addon + git checkout $HUBZILLA_ADDONS_COMMIT -b $HUBZILLA_ADDONS_COMMIT + if ! grep -q "Hubzilla addons commit" $COMPLETION_FILE; then + echo "Hubzilla addons commit:$HUBZILLA_ADDONS_COMMIT" >> $COMPLETION_FILE + else + sed -i "s/Hubzilla addons commit.*/Hubzilla addons commit:$HUBZILLA_ADDONS_COMMIT/g" $COMPLETION_FILE + fi + + # some extra themes + git_clone $HUBZILLA_THEMES_REPO $HUBZILLA_PATH/redmatrix-themes1 + cp -r $HUBZILLA_PATH/redmatrix-themes1/* $HUBZILLA_PATH/view/theme/ + + chown -R www-data:www-data $HUBZILLA_PATH + fi + + HUBZILLA_ONION_HOSTNAME= + if [[ $ONION_ONLY != "no" ]]; then + HUBZILLA_ONION_HOSTNAME=$(add_onion_service hubzilla 80 ${HUBZILLA_ONION_PORT}) + echo "Hubzilla onion domain:${HUBZILLA_ONION_HOSTNAME}" >> $COMPLETION_FILE + fi + + function_check get_mariadb_hubzilla_admin_password + get_mariadb_hubzilla_admin_password + if [ ! $HUBZILLA_ADMIN_PASSWORD ]; then + if [ -f $IMAGE_PASSWORD_FILE ]; then + HUBZILLA_ADMIN_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)" + else + HUBZILLA_ADMIN_PASSWORD="$(create_password ${MINIMUM_PASSWORD_LENGTH})" + fi + echo '' >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + echo 'Hubzilla' >> /home/$MY_USERNAME/README + echo '========' >> /home/$MY_USERNAME/README + if [[ $ONION_ONLY == 'no' ]]; then + echo $"Open https://$HUBZILLA_DOMAIN_NAME and register a new user" >> /home/$MY_USERNAME/README + else + echo $"Open http://$HUBZILLA_ONION_HOSTNAME and register a new user" >> /home/$MY_USERNAME/README + fi + echo $"Your MariaDB Hubzilla admin password is: $HUBZILLA_ADMIN_PASSWORD" >> /home/$MY_USERNAME/README + chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README + chmod 600 /home/$MY_USERNAME/README + fi + + function_check create_database + create_database hubzilla "$HUBZILLA_ADMIN_PASSWORD" + + if ! grep -q "$HUBZILLA_PATH" /etc/crontab; then + echo "12,22,32,42,52 * * * * root cd $HUBZILLA_PATH; /usr/bin/timeout 500 /usr/bin/php include/poller.php" >> /etc/crontab + fi + + function check add_ddns_domain + add_ddns_domain $HUBZILLA_DOMAIN_NAME + + if [[ $ONION_ONLY == "no" ]]; then + function_check nginx_http_redirect + nginx_http_redirect $HUBZILLA_DOMAIN_NAME + echo 'server {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' listen 443 ssl;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo " root $HUBZILLA_PATH;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo " server_name $HUBZILLA_DOMAIN_NAME;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo " error_log /var/log/nginx/${HUBZILLA_DOMAIN_NAME}_error_ssl.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' index index.php;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' charset utf-8;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' access_log off;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + function_check nginx_limits + nginx_limits $HUBZILLA_DOMAIN_NAME + function_check nginx_ssl + nginx_ssl $HUBZILLA_DOMAIN_NAME + function_check nginx_disable_sniffing + nginx_disable_sniffing $HUBZILLA_DOMAIN_NAME + echo ' add_header Strict-Transport-Security max-age=15768000;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' location / {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo " # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' allow all;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' # statically serve these file types when possible' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' # otherwise fall back to front controller' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' # allow browser to cache them' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' expires 30d;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' # block these file types' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' deny all;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' # or a unix socket' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' location ~* \.php$ {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' # Zero-day exploit defense.' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo " # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo " # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo " # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo " # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' # With php5-cgi alone:' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' # With php5-fpm:' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' include fastcgi_params;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' fastcgi_index index.php;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' fastcgi_read_timeout 300;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' # deny access to all dot files' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' location ~ /\. {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' deny all;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' location ~ /\.ht {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' deny all;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo '}' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + else + echo 'server {' > /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo " listen 127.0.0.1:${HUBZILLA_ONION_PORT} default_server;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo " root $HUBZILLA_PATH;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo " server_name $HUBZILLA_ONION_HOSTNAME;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo " error_log /var/log/nginx/${HUBZILLA_DOMAIN_NAME}_error_ssl.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' index index.php;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' charset utf-8;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' access_log off;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + nginx_limits $HUBZILLA_DOMAIN_NAME + nginx_disable_sniffing $HUBZILLA_DOMAIN_NAME + echo ' add_header Strict-Transport-Security max-age=15768000;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' location / {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo " # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' allow all;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' # statically serve these file types when possible' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' # otherwise fall back to front controller' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' # allow browser to cache them' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' expires 30d;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' # block these file types' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' deny all;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' # or a unix socket' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' location ~* \.php$ {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' # Zero-day exploit defense.' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo " # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo " # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo " # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo " # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' # With php5-cgi alone:' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' # With php5-fpm:' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' include fastcgi_params;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' fastcgi_index index.php;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' fastcgi_read_timeout 300;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' # deny access to all dot files' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' location ~ /\. {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' deny all;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' location ~ /\.ht {' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' deny all;' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + echo '}' >> /etc/nginx/sites-available/$HUBZILLA_DOMAIN_NAME + fi + + function_check configure_php + configure_php + + function_check create_site_certificate + create_site_certificate $HUBZILLA_DOMAIN_NAME 'yes' + + if [ ! -d $HUBZILLA_PATH/view/tpl/smarty3 ]; then + mkdir $HUBZILLA_PATH/view/tpl/smarty3 + fi + if [ ! -d "$HUBZILLA_PATH/store" ]; then + mkdir "$HUBZILLA_PATH/store" + fi + if [ ! -d "$HUBZILLA_PATH/store/[data]" ]; then + mkdir "$HUBZILLA_PATH/store/[data]" + fi + if [ ! -d "$HUBZILLA_PATH/store/[data]/smarty3" ]; then + mkdir "$HUBZILLA_PATH/store/[data]/smarty3" + chmod 777 "$HUBZILLA_PATH/store/[data]/smarty3" + fi + chmod 777 $HUBZILLA_PATH/view/tpl + chown -R www-data:www-data "$HUBZILLA_PATH/store" + chmod 777 $HUBZILLA_PATH/view/tpl/smarty3 + + # Ensure that the database gets backed up locally, if remote + # backups are not being used + function_check backup_databases_script_header + backup_databases_script_header + + function_check backup_database_local + backup_database_local hubzilla + + chown -R www-data:www-data $HUBZILLA_PATH + + function_check nginx_ensite + nginx_ensite $HUBZILLA_DOMAIN_NAME + + # initialize the database + if [ ! -f $HUBZILLA_PATH/install/schema_mysql.sql ]; then + echo $'No database schema found for hubzilla' + exit 252782 + fi + function_check initialise_database + initialise_database hubzilla $HUBZILLA_PATH/install/schema_mysql.sql + + # create the config file + echo ' $HUBZILLA_PATH/.htconfig.php + echo "\$db_host = 'localhost';" >> $HUBZILLA_PATH/.htconfig.php + echo "\$db_port = '0';" >> $HUBZILLA_PATH/.htconfig.php + echo "\$db_user = 'root';" >> $HUBZILLA_PATH/.htconfig.php + echo "\$db_pass = '${MARIADB_PASSWORD}';" >> $HUBZILLA_PATH/.htconfig.php + echo "\$db_data = 'hubzilla';" >> $HUBZILLA_PATH/.htconfig.php + echo "\$db_type = '0';" >> $HUBZILLA_PATH/.htconfig.php + echo "\$default_timezone = 'Europe/London';" >> $HUBZILLA_PATH/.htconfig.php + if [[ $ONION_ONLY == 'no' ]]; then + echo "\$a->config['system']['baseurl'] = 'https://${HUBZILLA_DOMAIN_NAME}';" >> $HUBZILLA_PATH/.htconfig.php + else + echo "\$a->config['system']['baseurl'] = 'http://${HUBZILLA_ONION_HOSTNAME}';" >> $HUBZILLA_PATH/.htconfig.php + fi + echo "\$a->config['system']['sitename'] = \"Hubzilla\";" >> $HUBZILLA_PATH/.htconfig.php + HUBZILLA_LOCATION_HASH="$(create_password 30)" + echo "\$a->config['system']['location_hash'] = '${HUBZILLA_LOCATION_HASH}';" >> $HUBZILLA_PATH/.htconfig.php + echo "\$a->config['system']['register_policy'] = REGISTER_OPEN;" >> $HUBZILLA_PATH/.htconfig.php + echo "\$a->config['system']['register_text'] = '';" >> $HUBZILLA_PATH/.htconfig.php + echo "\$a->config['system']['admin_email'] = '${MY_EMAIL_ADDRESS}';" >> $HUBZILLA_PATH/.htconfig.php + echo "\$a->config['system']['verify_email'] = 1;" >> $HUBZILLA_PATH/.htconfig.php + echo "\$a->config['system']['access_policy'] = ACCESS_PRIVATE;" >> $HUBZILLA_PATH/.htconfig.php + echo "\$a->config['system']['sellpage'] = '';" >> $HUBZILLA_PATH/.htconfig.php + echo "\$a->config['system']['max_import_size'] = 200000;" >> $HUBZILLA_PATH/.htconfig.php + echo "\$a->config['system']['php_path'] = '/usr/bin/php';" >> $HUBZILLA_PATH/.htconfig.php + echo "\$a->config['system']['directory_mode'] = DIRECTORY_MODE_NORMAL;" >> $HUBZILLA_PATH/.htconfig.php + echo "\$a->config['system']['theme'] = 'redbasic';" >> $HUBZILLA_PATH/.htconfig.php + chown www-data:www-data $HUBZILLA_PATH/.htconfig.php + chmod 755 $HUBZILLA_PATH/.htconfig.php + + systemctl restart php5-fpm + systemctl restart nginx + systemctl restart cron + + freedombone-addemail -u $MY_USERNAME -e "noreply@$HUBZILLA_DOMAIN_NAME" -g hubzilla --public no + + echo "Hubzilla domain:${HUBZILLA_DOMAIN_NAME}" >> $COMPLETION_FILE + echo 'install_hubzilla' >> $COMPLETION_FILE +} + +# NOTE: deliberately there is no "exit 0" diff --git a/src/freedombone-app-intrusion b/src/freedombone-app-intrusion new file mode 100755 index 00000000..1d69067d --- /dev/null +++ b/src/freedombone-app-intrusion @@ -0,0 +1,88 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# Intrusion detection application +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +function intrusion_detection { + if grep -Fxq "intrusion_detection" $COMPLETION_FILE; then + return + fi + if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + apt-get -y install tripwire + apt-get -y autoremove + cd /etc/tripwire + cp site.key $DEFAULT_DOMAIN_NAME-site.key + echo '*** Installing intrusion detection ***' + echo ' + +' | tripwire --init + + # make a script for easy resetting of the tripwire + echo '#!/bin/sh' > /usr/bin/reset-tripwire + echo 'tripwire --update-policy --secure-mode low /etc/tripwire/twpol.txt' >> /usr/bin/reset-tripwire + chmod +x /usr/bin/reset-tripwire + + sed -i 's/SYSLOGREPORTING.*/SYSLOGREPORTING =false/g' /etc/tripwire/twcfg.txt + # only send emails if something has changed + sed -i 's|MAILNOVIOLATIONS.*|MAILNOVIOLATIONS = false|g' /etc/tripwire/twcfg.txt + sed -i '/# These files change the behavior of the root account/,/}/ s/.*//g' /etc/tripwire/twpol.txt + sed -i 's|/etc/rc.boot.*||g' /etc/tripwire/twpol.txt + # Don't show any changes to /proc + sed -i 's|/proc.*||g' /etc/tripwire/twpol.txt + # Don't report log changes + sed -i 's|/var/log.*||g' /etc/tripwire/twpol.txt + # Ignore /etc/tripwire + if ! grep -q '!/etc/tripwire' /etc/tripwire/twpol.txt; then + sed -i '\|/etc\t\t->.*|a\ !/etc/tripwire ;' /etc/tripwire/twpol.txt + fi + # ignore tt-rss cache + if ! grep -q '!/etc/share/tt-rss/cache' /etc/tripwire/twpol.txt; then + sed -i '\|/etc\t\t->.*|a\ !/etc/share/tt-rss/cache ;' /etc/tripwire/twpol.txt + fi + if ! grep -q '!/etc/share/tt-rss/lock' /etc/tripwire/twpol.txt; then + sed -i '\|/etc\t\t->.*|a\ !/etc/share/tt-rss/lock ;' /etc/tripwire/twpol.txt + fi + # Avoid logging the changed database + sed -i 's|$(TWETC)/tw.pol.*||g' /etc/tripwire/twpol.txt + # recreate the configuration + echo ' + + ' | twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt + # reset + echo ' + + + + ' | reset-tripwire + + echo 'intrusion_detection' >> $COMPLETION_FILE +} + +# NOTE: deliberately no exit 0 diff --git a/src/freedombone-app-ipfs b/src/freedombone-app-ipfs new file mode 100755 index 00000000..b564cf28 --- /dev/null +++ b/src/freedombone-app-ipfs @@ -0,0 +1,167 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# ipfs functions +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +IPFS_GO_REPO="https://github.com/ipfs/go-ipfs" +IPFS_COMMIT='20b06a4cbce8884f5b194da6e98cb11f2c77f166' +IPFS_PORT=4001 + +function install_ipfs { + if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" ]]; then + return + fi + + function_check select_go_version + select_go_version + + # update to the next commit + function_check set_repo_commit + set_repo_commit $GOPATH/src/github.com/ipfs/go-ipfs "ipfs commit" "$IPFS_COMMIT" $IPFS_REPO + + if grep -Fxq "install_ipfs" $COMPLETION_FILE; then + return + fi + + apt-get -y install golang libpam0g-dev fuse + + if [ ! -d /home/git ]; then + # add a gogs user account + adduser --disabled-login --gecos 'Gogs' git + + # install Go + if ! grep -q "export GOPATH=" ~/.bashrc; then + echo "export GOPATH=$GOPATH" >> ~/.bashrc + else + sed -i "s|export GOPATH=.*|export GOPATH=$GOPATH|g" ~/.bashrc + fi + systemctl set-environment GOPATH=$GOPATH + if ! grep -q "systemctl set-environment GOPATH=" ~/.bashrc; then + echo "systemctl set-environment GOPATH=$GOPATH" >> ~/.bashrc + else + sed -i "s|systemctl set-environment GOPATH=.*|systemctl set-environment GOPATH=$GOPATH|g" ~/.bashrc + fi + if [ ! -d $GOPATH ]; then + mkdir -p $GOPATH + fi + fi + + IPFS_PATH=$GOPATH/bin + export PATH="$GOPATH/bin:$PATH:" + if ! grep -q 'GOPATH/bin' ~/.bashrc; then + echo 'export PATH="$GOPATH/bin:$PATH:";' >> ~/.bashrc + else + sed -i "s|systemctl set-environment GOPATH=.*|systemctl set-environment GOPATH=$GOPATH|g" ~/.bashrc + fi + + # set gopath for the user + if ! grep -q "GOPATH=" /home/$MY_USERNAME/.bashrc; then + echo "export GOPATH=$GOPATH" >> /home/$MY_USERNAME/.bashrc + echo 'export PATH="$GOPATH/bin:$PATH:";' >> /home/$MY_USERNAME/.bashrc + else + sed -i "s|export GOPATH=.*|export GOPATH=$GOPATH|g" /home/$MY_USERNAME/.bashrc + fi + chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.bashrc + + IPFS_GO_REPO2=$(echo "$IPFS_GO_REPO" | sed 's|https://||g') + go get -u ${IPFS_GO_REPO2}/cmd/ipfs + if [ ! "$?" = "0" ]; then + exit 8242 + fi + + cd $GOPATH/src/$IPFS_GO_REPO2 + git checkout $IPFS_COMMIT -b $IPFS_COMMIT + if ! grep -q "ipfs commit" $COMPLETION_FILE; then + echo "ipfs commit:$IPFS_COMMIT" >> $COMPLETION_FILE + else + sed -i "s/ipfs commit.*/ipfs commit:$IPFS_COMMIT/g" $COMPLETION_FILE + fi + + # initialise + su -c "$IPFS_PATH/ipfs init -b 4096" - $MY_USERNAME + if [ ! -d /home/$MY_USERNAME/.ipfs ]; then + echo "IPFS could not be initialised for user $MY_USERNAME" + exit 7358 + fi + + # directories to mount to + if [ ! -d /ipfs ]; then + mkdir /ipfs + mkdir /ipns + chown $MY_USERNAME:$MY_USERNAME /ipfs + chown $MY_USERNAME:$MY_USERNAME /ipns + fi + + if [ -f /etc/fuse.conf ]; then + chown $MY_USERNAME:$MY_USERNAME /etc/fuse.conf + fi + if [ -f /dev/fuse ]; then + chown $MY_USERNAME:$MY_USERNAME /dev/fuse + fi + + echo '[Unit]' > /etc/systemd/system/ipfs.service + echo 'Description=IPFS daemon' >> /etc/systemd/system/ipfs.service + echo 'After=syslog.target' >> /etc/systemd/system/ipfs.service + echo 'After=network.target' >> /etc/systemd/system/ipfs.service + echo '' >> /etc/systemd/system/ipfs.service + echo '[Service]' >> /etc/systemd/system/ipfs.service + echo 'Type=simple' >> /etc/systemd/system/ipfs.service + echo "User=$MY_USERNAME" >> /etc/systemd/system/ipfs.service + echo "Group=$MY_USERNAME" >> /etc/systemd/system/ipfs.service + echo "WorkingDirectory=/home/$MY_USERNAME" >> /etc/systemd/system/ipfs.service + echo "ExecStart=$IPFS_PATH/ipfs daemon --mount" >> /etc/systemd/system/ipfs.service + echo 'Restart=on-failure' >> /etc/systemd/system/ipfs.service + echo "Environment=\"USER=$MY_USERNAME\" \"HOME=/home/$MY_USERNAME\" \"GOPATH=$GOPATH\" \"GVM_ROOT=$GVM_HOME\"" >> /etc/systemd/system/ipfs.service + echo '' >> /etc/systemd/system/ipfs.service + echo '[Install]' >> /etc/systemd/system/ipfs.service + echo 'WantedBy=multi-user.target' >> /etc/systemd/system/ipfs.service + + systemctl enable ipfs + systemctl daemon-reload + systemctl restart ipfs + + if [ -d /etc/avahi ]; then + su -c "echo $($IPFS_PATH/ipfs id | grep '\"ID\":' | awk -F '\"' '{print $4}') > /tmp/ipfsid" - $MY_USERNAME + if [ ! -f /tmp/ipfsid ]; then + echo 'No IPFS identity was created' + exit 37895 + fi + IPFS_PEER_ID=$(cat /tmp/ipfsid) + if [ ${#IPFS_PEER_ID} -lt 10 ]; then + echo 'Invalid IPFS peer ID' + echo "$IPFS_PEER_ID" + exit 74782 + fi + # Add an avahi service + function_check create_avahi_service + create_avahi_service ipfs "ipfs" udp $IPFS_PORT "$IPFS_PEER_ID" + rm /tmp/ipfsid + fi + + echo 'install_ipfs' >> $COMPLETION_FILE +} diff --git a/src/freedombone-app-irc b/src/freedombone-app-irc new file mode 100755 index 00000000..8aff263e --- /dev/null +++ b/src/freedombone-app-irc @@ -0,0 +1,239 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# IRC server application +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +IRC_PORT=6697 +IRC_ONION_PORT=6697 + +# An optional password to log into IRC. This applies to all users +IRC_PASSWORD= + +function install_irc_server { + if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + if grep -Fxq "install_irc_server" $COMPLETION_FILE; then + return + fi + apt-get -y install ngircd + + if [ ! -d /etc/ngircd ]; then + echo $"ERROR: ngircd does not appear to have installed. $CHECK_MESSAGE" + exit 53 + fi + + if [ ! -f /etc/ssl/certs/ngircd.dhparam ]; then + ${PROJECT_NAME}-addcert -h ngircd --dhkey $DH_KEYLENGTH + function_check check_certificates + check_certificates ngircd + fi + + DEFAULTDOMAIN=$DEFAULT_DOMAIN_NAME + if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + DEFAULTDOMAIN="${DEFAULT_DOMAIN_NAME}.local" + fi + + # create a login password if needed + if [ ! $IRC_PASSWORD ]; then + IRC_PASSWORD="$(create_password ${MINIMUM_PASSWORD_LENGTH})" + fi + + echo '**************************************************' > /etc/ngircd/motd + echo $'* F R E E D O M B O N E I R C *' >> /etc/ngircd/motd + echo '* *' >> /etc/ngircd/motd + echo $'* Freedom in the Cloud *' >> /etc/ngircd/motd + echo '**************************************************' >> /etc/ngircd/motd + sed -i 's|MotdFile = /etc/ngircd/ngircd.motd|MotdFile = /etc/ngircd/motd|g' /etc/ngircd/ngircd.conf + sed -i "s/irc@irc.example.com/$MY_EMAIL_ADDRESS/g" /etc/ngircd/ngircd.conf + sed -i "s/irc.example.net/$DEFAULTDOMAIN/g" /etc/ngircd/ngircd.conf + sed -i "s|Yet another IRC Server running on Debian GNU/Linux|IRC Server of $DEFAULTDOMAIN|g" /etc/ngircd/ngircd.conf + sed -i 's/;Password = wealllikedebian/Password =/g' /etc/ngircd/ngircd.conf + sed -i 's|;CertFile = /etc/ssl/certs/server.crt|CertFile = /etc/ssl/certs/ngircd.crt|g' /etc/ngircd/ngircd.conf + sed -i 's|;DHFile = /etc/ngircd/dhparams.pem|DHFile = /etc/ssl/certs/ngircd.dhparam|g' /etc/ngircd/ngircd.conf + sed -i 's|;KeyFile = /etc/ssl/private/server.key|KeyFile = /etc/ssl/private/ngircd.key|g' /etc/ngircd/ngircd.conf + sed -i "s/;Ports =.*/Ports = $IRC_PORT/1" /etc/ngircd/ngircd.conf + sed -i "s/;Ports =.*/Ports = $IRC_PORT/2" /etc/ngircd/ngircd.conf + sed -i "s/;Name = #ngircd/Name = #${PROJECT_NAME}/g" /etc/ngircd/ngircd.conf + sed -i "s/;Topic = Our ngircd testing channel/Topic = ${PROJECT_NAME} chat channel/g" /etc/ngircd/ngircd.conf + sed -i 's/;MaxUsers = 23/MaxUsers = 23/g' /etc/ngircd/ngircd.conf + sed -i "s|;KeyFile = /etc/ngircd/#chan.key|KeyFile = /etc/ngircd/#${PROJECT_NAME}.key|g" /etc/ngircd/ngircd.conf + sed -i "s/;CloakHost = cloaked.host/CloakHost = ${PROJECT_NAME}/g" /etc/ngircd/ngircd.conf + IRC_SALT="$(create_password 30)" + if [ -f $IMAGE_PASSWORD_FILE ]; then + IRC_OPERATOR_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)" + else + IRC_OPERATOR_PASSWORD="$(create_password ${MINIMUM_PASSWORD_LENGTH})" + fi + sed -i "s|;CloakHostSalt = abcdefghijklmnopqrstuvwxyz|CloakHostSalt = $IRC_SALT|g" /etc/ngircd/ngircd.conf + sed -i 's/;ConnectIPv4 = yes/ConnectIPv4 = yes/g' /etc/ngircd/ngircd.conf + sed -i 's/;MorePrivacy = no/MorePrivacy = yes/g' /etc/ngircd/ngircd.conf + sed -i 's/;RequireAuthPing = no/RequireAuthPing = no/g' /etc/ngircd/ngircd.conf + sed -i "s/;Name = TheOper/Name = $MY_USERNAME/g" /etc/ngircd/ngircd.conf + sed -i "s/;Password = ThePwd/Password = $IRC_OPERATOR_PASSWORD/g" /etc/ngircd/ngircd.conf + sed -i 's|;Listen =.*|Listen = 0.0.0.0,0.0.0.0:9050,127.0.0.1,127.0.0.1:9050|g' /etc/ngircd/ngircd.conf + if [ $IRC_PASSWORD ]; then + sed -i "0,/RE/s/Password =.*/Password =$IRC_PASSWORD/" /etc/ngircd/ngircd.conf + fi + # If we are on a mesh then DNS is not available + if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + sed -i "s/;DNS =.*/DNS = no/g" /etc/ngircd/ngircd.conf + fi + # upgrade a cypher + sed -i 's|SECURE128|SECURE256|g' /etc/ngircd/ngircd.conf + mkdir /var/run/ircd + chown -R irc:irc /var/run/ircd + mkdir /var/run/ngircd + touch /var/run/ngircd/ngircd.pid + chown -R irc:irc /var/run/ngircd + + IRC_ONION_HOSTNAME=$(add_onion_service irc ${IRC_PORT} ${IRC_ONION_PORT}) + if ! grep -q $"IRC onion domain" $COMPLETION_FILE; then + echo "IRC onion domain:$IRC_ONION_HOSTNAME" >> $COMPLETION_FILE + fi + + systemctl restart ngircd + + # keep the daemon running + echo '' >> /usr/bin/$WATCHDOG_SCRIPT_NAME + echo '# keep irc daemon running' >> /usr/bin/$WATCHDOG_SCRIPT_NAME + echo 'IRC_RUNNING=$(pgrep ngircd > /dev/null && echo Running)' >> /usr/bin/$WATCHDOG_SCRIPT_NAME + echo 'if [ ! $IRC_RUNNING ]; then' >> /usr/bin/$WATCHDOG_SCRIPT_NAME + echo ' systemctl start ngircd' >> /usr/bin/$WATCHDOG_SCRIPT_NAME + echo ' echo -n $CURRENT_DATE >> $LOGFILE' >> /usr/bin/$WATCHDOG_SCRIPT_NAME + echo ' echo " IRC daemon restarted" >> $LOGFILE' >> /usr/bin/$WATCHDOG_SCRIPT_NAME + echo 'fi' >> /usr/bin/$WATCHDOG_SCRIPT_NAME + + if ! grep -q $"IRC Server" /home/$MY_USERNAME/README; then + echo '' >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + echo $'IRC Server' >> /home/$MY_USERNAME/README + echo '==========' >> /home/$MY_USERNAME/README + echo $'To connect to your IRC server in irssi:' >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + if [[ $ONION_ONLY != 'yes' ]]; then + echo " irssi" >> /home/$MY_USERNAME/README + echo " /server add -auto -ssl $DEFAULTDOMAIN $IRC_PORT" >> /home/$MY_USERNAME/README + echo " /connect $DEFAULT_DOMAIN_NAME" >> /home/$MY_USERNAME/README + else + echo " usetorwith irssi" >> /home/$MY_USERNAME/README + echo " /server add -auto $IRC_ONION_HOSTNAME $IRC_PORT" >> /home/$MY_USERNAME/README + echo " /connect $IRC_ONION_HOSTNAME" >> /home/$MY_USERNAME/README + fi + echo " /join #${PROJECT_NAME}" >> /home/$MY_USERNAME/README + chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README + chmod 600 /home/$MY_USERNAME/README + fi + + function_check configure_firewall_for_irc + configure_firewall_for_irc + echo 'install_irc_server' >> $COMPLETION_FILE +} + +function install_irc_client { + if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + if grep -Fxq "install_irc_client" $COMPLETION_FILE; then + return + fi + apt-get -y install irssi + + if [ ! -d /home/$MY_USERNAME/.irssi ]; then + mkdir /home/$MY_USERNAME/.irssi + fi + + echo 'servers = (' > /home/$MY_USERNAME/.irssi/config + echo ' {' >> /home/$MY_USERNAME/.irssi/config + echo ' address = "chat.freenode.net";' >> /home/$MY_USERNAME/.irssi/config + echo ' chatnet = "Freenode";' >> /home/$MY_USERNAME/.irssi/config + echo ' port = "6667";' >> /home/$MY_USERNAME/.irssi/config + echo ' autoconnect = "no";' >> /home/$MY_USERNAME/.irssi/config + echo ' },' >> /home/$MY_USERNAME/.irssi/config + echo ' {' >> /home/$MY_USERNAME/.irssi/config + echo ' address = "irc.oftc.net";' >> /home/$MY_USERNAME/.irssi/config + echo ' chatnet = "OFTC";' >> /home/$MY_USERNAME/.irssi/config + echo ' port = "6667";' >> /home/$MY_USERNAME/.irssi/config + echo ' autoconnect = "yes";' >> /home/$MY_USERNAME/.irssi/config + echo ' },' >> /home/$MY_USERNAME/.irssi/config + echo ' {' >> /home/$MY_USERNAME/.irssi/config + echo " address = \"127.0.0.1\";" >> /home/$MY_USERNAME/.irssi/config + if [[ $ONION_ONLY == 'no' ]]; then + echo " port = \"${IRC_PORT}\";" >> /home/$MY_USERNAME/.irssi/config + echo ' use_ssl = "yes";' >> /home/$MY_USERNAME/.irssi/config + else + IRC_ONION_HOSTNAME=$(cat $COMPLETION_FILE | grep "IRC onion domain" | awk -F ':' '{print $2}') + echo " port = \"${IRC_ONION_PORT}\";" >> /home/$MY_USERNAME/.irssi/config + echo ' use_ssl = "no";' >> /home/$MY_USERNAME/.irssi/config + fi + echo ' chatnet = "Freedombone";' >> /home/$MY_USERNAME/.irssi/config + echo ' ssl_verify = "no";' >> /home/$MY_USERNAME/.irssi/config + echo ' autoconnect = "yes";' >> /home/$MY_USERNAME/.irssi/config + if [ $IRC_PASSWORD ]; then + echo " password = \"${IRC_PASSWORD}\";" >> /home/$MY_USERNAME/.irssi/config + fi + echo ' }' >> /home/$MY_USERNAME/.irssi/config + echo ');' >> /home/$MY_USERNAME/.irssi/config + echo '' >> /home/$MY_USERNAME/.irssi/config + echo 'chatnets = {' >> /home/$MY_USERNAME/.irssi/config + echo ' Freedombone = {' >> /home/$MY_USERNAME/.irssi/config + echo ' type = "IRC";' >> /home/$MY_USERNAME/.irssi/config + echo ' max_kicks = "1";' >> /home/$MY_USERNAME/.irssi/config + echo ' max_msgs = "4";' >> /home/$MY_USERNAME/.irssi/config + echo ' max_whois = "1";' >> /home/$MY_USERNAME/.irssi/config + echo ' };' >> /home/$MY_USERNAME/.irssi/config + echo ' Freenode = {' >> /home/$MY_USERNAME/.irssi/config + echo ' type = "IRC";' >> /home/$MY_USERNAME/.irssi/config + echo ' max_kicks = "1";' >> /home/$MY_USERNAME/.irssi/config + echo ' max_msgs = "4";' >> /home/$MY_USERNAME/.irssi/config + echo ' max_whois = "1";' >> /home/$MY_USERNAME/.irssi/config + echo ' };' >> /home/$MY_USERNAME/.irssi/config + echo ' OFTC = {' >> /home/$MY_USERNAME/.irssi/config + echo ' type = "IRC";' >> /home/$MY_USERNAME/.irssi/config + echo ' max_kicks = "1";' >> /home/$MY_USERNAME/.irssi/config + echo ' max_msgs = "1";' >> /home/$MY_USERNAME/.irssi/config + echo ' max_whois = "1";' >> /home/$MY_USERNAME/.irssi/config + echo ' };' >> /home/$MY_USERNAME/.irssi/config + echo '};' >> /home/$MY_USERNAME/.irssi/config + echo '' >> /home/$MY_USERNAME/.irssi/config + echo 'channels = (' >> /home/$MY_USERNAME/.irssi/config + echo ' { name = "#freedombone"; chatnet = "Freedombone"; autojoin = "Yes"; },' >> /home/$MY_USERNAME/.irssi/config + echo ');' >> /home/$MY_USERNAME/.irssi/config + echo '' >> /home/$MY_USERNAME/.irssi/config + echo 'settings = {' >> /home/$MY_USERNAME/.irssi/config + echo " core = { real_name = \"$MY_NAME\"; user_name = \"$MY_USERNAME\"; nick = \"$MY_USERNAME\"; };" >> /home/$MY_USERNAME/.irssi/config + echo ' "fe-text" = { actlist_sort = "refnum"; };' >> /home/$MY_USERNAME/.irssi/config + echo '};' >> /home/$MY_USERNAME/.irssi/config + echo 'ignores = ( { level = "CTCPS"; } );' >> /home/$MY_USERNAME/.irssi/config + + chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.irssi + + echo 'install_irc_client' >> $COMPLETION_FILE +} + +# NOTE: deliberately no exit 0 diff --git a/src/freedombone-app-mediagoblin b/src/freedombone-app-mediagoblin new file mode 100755 index 00000000..a356fba2 --- /dev/null +++ b/src/freedombone-app-mediagoblin @@ -0,0 +1,370 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# mediagoblin functions +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +MEDIAGOBLIN_DOMAIN_NAME= +MEDIAGOBLIN_CODE= +MEDIAGOBLIN_REPO="git://git.savannah.gnu.org/mediagoblin.git" +MEDIAGOBLIN_COMMIT='d1ac2d52fd8859c3f32fa38e4836ffe9615e5bba' +MEDIAGOBLIN_ADMIN_PASSWORD= +MEDIAGOBLIN_ONION_PORT=8096 + +function install_mediagoblin { + if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + if [ ! $MEDIAGOBLIN_DOMAIN_NAME ]; then + return + fi + + MEDIAGOBLIN_WORKING_DIRECTORY=/var/www/$MEDIAGOBLIN_DOMAIN_NAME/htdocs + + # update to a new commit if needed + function_check set_repo_commit + set_repo_commit $MEDIAGOBLIN_WORKING_DIRECTORY "Mediagoblin commit" "$MEDIAGOBLIN_COMMIT" $MEDIAGOBLIN_REPO + if [ -d $MEDIAGOBLIN_WORKING_DIRECTORY ]; then + chown -hR mediagoblin:www-data $MEDIAGOBLIN_WORKING_DIRECTORY + fi + + if grep -Fxq "install_mediagoblin" $COMPLETION_FILE; then + return + fi + + apt-get -y install git-core python python-dev python-lxml python-pil + apt-get -y install python-virtualenv npm nodejs-legacy automake + apt-get -y install fcgiwrap + + #apt-get -y install postgresql postgresql-client python-psycopg2 + #apt-get -y install python-gst-1.0 libjpeg62-turbo-dev gstreamer1.0-plugins-base python-gobject + #apt-get -y install gstreamer1.0-plugins-good gstreamer1.0-libav libav-tools gstreamer0.10-tools + #apt-get -y install python-numpy python-scipy libsndfile1-dev python-gst0.10-dev + #apt-get -y install gstreamer0.10-plugins-base gstreamer0.10-plugins-good gstreamer1.0-tools + #su -c "createuser -A -D mediagoblin" - postgres + #su -c "createdb -E UNICODE -O mediagoblin mediagoblin" - postgres + + useradd -c "GNU MediaGoblin system account" -d /var/lib/mediagoblin -m -r -g www-data mediagoblin + groupadd mediagoblin + usermod --append -G mediagoblin mediagoblin + + if [ ! -d $MEDIAGOBLIN_WORKING_DIRECTORY ]; then + mkdir -p $MEDIAGOBLIN_WORKING_DIRECTORY + fi + + function_check git_clone + git_clone $MEDIAGOBLIN_REPO $MEDIAGOBLIN_WORKING_DIRECTORY + cd $MEDIAGOBLIN_WORKING_DIRECTORY + git checkout $MEDIAGOBLIN_COMMIT -b $MEDIAGOBLIN_COMMIT + git submodule init + git submodule update + + if ! grep -q "Mediagoblin commit" $COMPLETION_FILE; then + echo "Mediagoblin commit:$MEDIAGOBLIN_COMMIT" >> $COMPLETION_FILE + else + sed -i "s/Mediagoblin commit.*/Mediagoblin commit:$MEDIAGOBLIN_COMMIT/g" $COMPLETION_FILE + fi + + chown -hR mediagoblin:www-data $MEDIAGOBLIN_WORKING_DIRECTORY + su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bootstrap.sh" - mediagoblin + if [ ! "$?" = "0" ]; then + exit 278826 + fi + + su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./configure" - mediagoblin + if [ ! "$?" = "0" ]; then + exit 462826 + fi + + su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && make" - mediagoblin + if [ ! "$?" = "0" ]; then + exit 738229 + fi + + if [ ! -d $MEDIAGOBLIN_WORKING_DIRECTORY/user_dev ]; then + mkdir $MEDIAGOBLIN_WORKING_DIRECTORY/user_dev + fi + chmod 750 $MEDIAGOBLIN_WORKING_DIRECTORY/user_dev + su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install flup==1.0.3.dev-20110405" - mediagoblin + su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade billiard" - mediagoblin + su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade Paste" - mediagoblin + su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade amqp" - mediagoblin + su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade anyjson" - mediagoblin + su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade py-bcrypt" - mediagoblin + su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade wtforms" - mediagoblin + su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade python-dateutil" - mediagoblin + su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade alembic" - mediagoblin + su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade waitress" - mediagoblin + su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade imagesize" - mediagoblin + su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade alabaster" - mediagoblin + su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade snowballstemmer" - mediagoblin + su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade docutils" - mediagoblin + su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade Pygments" - mediagoblin + su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade beautifulsoup4" - mediagoblin + su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade WebOb" - mediagoblin + su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade py" - mediagoblin + su -c "cd $MEDIAGOBLIN_WORKING_DIRECTORY && ./bin/easy_install --upgrade execnet" - mediagoblin + + # create some directories + mkdir /var/log/mediagoblin + chown -hR mediagoblin:www-data /var/log/mediagoblin + mkdir /var/run/mediagoblin + chown -hR mediagoblin:www-data /var/run/mediagoblin + + if [ ! -f $MEDIAGOBLIN_WORKING_DIRECTORY/mediagoblin.ini ]; then + echo $'mediagoblin.ini not found' + exit 737529 + fi + if [ ! -f $MEDIAGOBLIN_WORKING_DIRECTORY/paste.ini ]; then + echo $'paste.ini not found' + exit 52762 + fi + + cp -av mediagoblin.ini mediagoblin_local.ini + cp -av paste.ini paste_local.ini + + chown -hR mediagoblin:www-data $MEDIAGOBLIN_WORKING_DIRECTORY + + # init with systemd + echo '[Unit]' > /etc/systemd/system/mediagoblin-celeryd.service + echo 'Description=Mediagoblin Celeryd' >> /etc/systemd/system/mediagoblin-celeryd.service + echo 'After=syslog.target' >> /etc/systemd/system/mediagoblin-celeryd.service + echo 'After=network.target' >> /etc/systemd/system/mediagoblin-celeryd.service + echo '' >> /etc/systemd/system/mediagoblin-celeryd.service + echo '[Service]' >> /etc/systemd/system/mediagoblin-celeryd.service + echo 'User=mediagoblin' >> /etc/systemd/system/mediagoblin-celeryd.service + echo 'Group=mediagoblin' >> /etc/systemd/system/mediagoblin-celeryd.service + echo 'Type=simple' >> /etc/systemd/system/mediagoblin-celeryd.service + echo "WorkingDirectory=$MEDIAGOBLIN_WORKING_DIRECTORY" >> /etc/systemd/system/mediagoblin-celeryd.service + echo "Environment=MEDIAGOBLIN_CONFIG=$MEDIAGOBLIN_WORKING_DIRECTORY/mediagoblin_local.ini \\" >> /etc/systemd/system/mediagoblin-celeryd.service + echo ' CELERY_CONFIG_MODULE=mediagoblin.init.celery.from_celery' >> /etc/systemd/system/mediagoblin-celeryd.service + echo "ExecStart=$MEDIAGOBLIN_WORKING_DIRECTORY/bin/celery worker \\" >> /etc/systemd/system/mediagoblin-celeryd.service + echo ' --logfile=/var/log/mediagoblin/celery.log \' >> /etc/systemd/system/mediagoblin-celeryd.service + echo ' --loglevel=INFO' >> /etc/systemd/system/mediagoblin-celeryd.service + echo 'PIDFile=/var/run/mediagoblin/mediagoblin-celeryd.pid' >> /etc/systemd/system/mediagoblin-celeryd.service + echo '' >> /etc/systemd/system/mediagoblin-celeryd.service + echo '[Install]' >> /etc/systemd/system/mediagoblin-celeryd.service + echo 'WantedBy=multi-user.target' >> /etc/systemd/system/mediagoblin-celeryd.service + + echo '[Unit]' > /etc/systemd/system/mediagoblin-paster.service + echo 'Description=Mediagoblin' >> /etc/systemd/system/mediagoblin-paster.service + echo 'After=syslog.target' >> /etc/systemd/system/mediagoblin-paster.service + echo 'After=network.target' >> /etc/systemd/system/mediagoblin-paster.service + echo '' >> /etc/systemd/system/mediagoblin-paster.service + echo '[Service]' >> /etc/systemd/system/mediagoblin-paster.service + echo 'Type=forking' >> /etc/systemd/system/mediagoblin-paster.service + echo 'User=mediagoblin' >> /etc/systemd/system/mediagoblin-paster.service + echo 'Group=mediagoblin' >> /etc/systemd/system/mediagoblin-paster.service + echo 'Environment=CELERY_ALWAYS_EAGER=false' >> /etc/systemd/system/mediagoblin-paster.service + echo "WorkingDirectory=$MEDIAGOBLIN_WORKING_DIRECTORY" >> /etc/systemd/system/mediagoblin-paster.service + echo "ExecStart=$MEDIAGOBLIN_WORKING_DIRECTORY/bin/paster serve \\" >> /etc/systemd/system/mediagoblin-paster.service + echo " $MEDIAGOBLIN_WORKING_DIRECTORY/paste_local.ini \\" >> /etc/systemd/system/mediagoblin-paster.service + echo ' --pid-file=/var/run/mediagoblin/mediagoblin.pid \' >> /etc/systemd/system/mediagoblin-paster.service + echo ' --log-file=/var/log/mediagoblin/mediagoblin.log \' >> /etc/systemd/system/mediagoblin-paster.service + echo ' --daemon \' >> /etc/systemd/system/mediagoblin-paster.service + echo ' --server-name=fcgi fcgi_host=127.0.0.1 fcgi_port=26543' >> /etc/systemd/system/mediagoblin-paster.service + echo "ExecStop=$MEDIAGOBLIN_WORKING_DIRECTORY/bin/paster serve \\" >> /etc/systemd/system/mediagoblin-paster.service + echo ' --pid-file=/var/run/mediagoblin/mediagoblin.pid \' >> /etc/systemd/system/mediagoblin-paster.service + echo " $MEDIAGOBLIN_WORKING_DIRECTORY/paste_local.ini stop" >> /etc/systemd/system/mediagoblin-paster.service + echo 'PIDFile=/var/run/mediagoblin/mediagoblin.pid' >> /etc/systemd/system/mediagoblin-paster.service + echo '' >> /etc/systemd/system/mediagoblin-paster.service + echo '[Install]' >> /etc/systemd/system/mediagoblin-paster.service + echo 'WantedBy=multi-user.target' >> /etc/systemd/system/mediagoblin-paster.service + systemctl daemon-reload + systemctl enable mediagoblin-celeryd + systemctl enable mediagoblin-paster + systemctl daemon-reload + systemctl start mediagoblin-celeryd + systemctl start mediagoblin-paster + + MEDIAGOBLIN_ONION_HOSTNAME=$(add_onion_service mediagoblin 80 ${MEDIAGOBLIN_ONION_PORT}) + if ! grep -q "Mediagoblin onion domain" $COMPLETION_FILE; then + echo "Mediagoblin onion domain:${MEDIAGOBLIN_ONION_HOSTNAME}" >> $COMPLETION_FILE + else + sed -i "s|Mediagoblin onion domain.*|Mediagoblin onion domain:${MEDIAGOBLIN_ONION_HOSTNAME}|g" $COMPLETION_FILE + fi + if [[ $MEDIAGOBLIN_ONION_HOSTNAME == *"not found"* ]]; then + echo $'Problem creating onion address for mediagoblin' + exit 672652 + fi + + # web config + MEDIAGOBLIN_VIRTUAL_HOST=/etc/nginx/sites-available/$MEDIAGOBLIN_DOMAIN_NAME + function_check nginx_http_redirect + nginx_http_redirect $MEDIAGOBLIN_DOMAIN_NAME + if [[ $ONION_ONLY == 'no' ]]; then + echo 'server {' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' listen 443 ssl;' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' #################################################' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' # Stock useful config options, but ignore them :)' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' #################################################' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' include /etc/nginx/mime.types;' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' autoindex off;' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' default_type application/octet-stream;' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' sendfile on;' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST + function_check nginx_limits + nginx_limits $MEDIAGOBLIN_DOMAIN_NAME '20m' + function_check nginx_ssl + nginx_ssl $MEDIAGOBLIN_DOMAIN_NAME + function_check nginx_disable_sniffing + nginx_disable_sniffing $MEDIAGOBLIN_DOMAIN_NAME + echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' # Gzip' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' gzip on;' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' gzip_min_length 1024;' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' gzip_buffers 4 32k;' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' gzip_types text/plain application/x-javascript text/javascript text/xml text/css;' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' #####################################' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' # Mounting MediaGoblin stuff' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' # This is the section you should read' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' #####################################' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo " server_name $MEDIAGOBLIN_DOMAIN_NAME;" >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' access_log /var/log/nginx/mediagoblin.log;' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' error_log /var/log/nginx/mediagoblin.error.log;' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' # MediaGoblins stock static files: CSS, JS, etc.' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' location /mgoblin_static/ {' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo " alias $MEDIAGOBLIN_WORKING_DIRECTORY/mediagoblin/static/;" >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' }' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' # Instance specific media:' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' location /mgoblin_media/ {' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo " alias $MEDIAGOBLIN_WORKING_DIRECTORY/user_dev/media/public/;" >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' }' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' # Theme static files (usually symlinked in)' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' location /theme_static/ {' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo " alias $MEDIAGOBLIN_WORKING_DIRECTORY/user_dev/theme_static/;" >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' }' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' # Plugin static files (usually symlinked in)' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' location /plugin_static/ {' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo " alias $MEDIAGOBLIN_WORKING_DIRECTORY/user_dev/plugin_static/;" >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' }' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' # Mounting MediaGoblin itself via FastCGI.' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' location / {' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' fastcgi_pass 127.0.0.1:26543;' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' include /etc/nginx/fastcgi_params;' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' # our understanding vs nginxs handling of script_name vs' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' # path_info dont match :)' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' fastcgi_param PATH_INFO $fastcgi_script_name;' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' fastcgi_param SCRIPT_NAME "";' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' }' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo '}' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST + else + echo -n '' > $MEDIAGOBLIN_VIRTUAL_HOST + fi + + echo 'server {' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo " listen 127.0.0.1:${MEDIAGOBLIN_ONION_PORT} default_server;" >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' #################################################' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' # Stock useful config options, but ignore them :)' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' #################################################' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' include /etc/nginx/mime.types;' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' autoindex off;' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' default_type application/octet-stream;' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' sendfile on;' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST + function_check nginx_limits + nginx_limits $MEDIAGOBLIN_DOMAIN_NAME '20m' + function_check nginx_disable_sniffing + nginx_disable_sniffing $MEDIAGOBLIN_DOMAIN_NAME + echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' # Gzip' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' gzip on;' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' gzip_min_length 1024;' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' gzip_buffers 4 32k;' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' gzip_types text/plain application/x-javascript text/javascript text/xml text/css;' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' #####################################' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' # Mounting MediaGoblin stuff' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' # This is the section you should read' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' #####################################' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo " server_name $MEDIAGOBLIN_ONION_HOSTNAME;" >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' access_log /var/log/nginx/mediagoblin.log;' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' error_log /var/log/nginx/mediagoblin.error.log;' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' # MediaGoblins stock static files: CSS, JS, etc.' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' location /mgoblin_static/ {' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo " alias $MEDIAGOBLIN_WORKING_DIRECTORY/mediagoblin/static/;" >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' }' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' # Instance specific media:' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' location /mgoblin_media/ {' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo " alias $MEDIAGOBLIN_WORKING_DIRECTORY/user_dev/media/public/;" >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' }' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' # Theme static files (usually symlinked in)' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' location /theme_static/ {' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo " alias $MEDIAGOBLIN_WORKING_DIRECTORY/user_dev/theme_static/;" >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' }' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' # Plugin static files (usually symlinked in)' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' location /plugin_static/ {' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo " alias $MEDIAGOBLIN_WORKING_DIRECTORY/user_dev/plugin_static/;" >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' }' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' # Mounting MediaGoblin itself via FastCGI.' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' location / {' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' fastcgi_pass 127.0.0.1:26543;' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' include /etc/nginx/fastcgi_params;' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo '' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' # our understanding vs nginxs handling of script_name vs' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' # path_info dont match :)' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' fastcgi_param PATH_INFO $fastcgi_script_name;' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' fastcgi_param SCRIPT_NAME "";' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo ' }' >> $MEDIAGOBLIN_VIRTUAL_HOST + echo '}' >> $MEDIAGOBLIN_VIRTUAL_HOST + + function_check create_site_certificate + create_site_certificate $MEDIAGOBLIN_DOMAIN_NAME + + nginx_ensite $MEDIAGOBLIN_DOMAIN_NAME + systemctl restart php5-fpm + systemctl restart nginx + + add_ddns_domain $MEDIAGOBLIN_DOMAIN_NAME + + if ! grep -q "Mediagoblin domain" $COMPLETION_FILE; then + echo "Mediagoblin domain:$MEDIAGOBLIN_DOMAIN_NAME" >> $COMPLETION_FILE + else + sed -i "s/Mediagoblin domain.*/Mediagoblin domain:$MEDIAGOBLIN_DOMAIN_NAME/g" $COMPLETION_FILE + fi + + echo 'install_mediagoblin' >> $COMPLETION_FILE +} + +# NOTE: deliberately no exit 0 diff --git a/src/freedombone-app-mumble b/src/freedombone-app-mumble new file mode 100755 index 00000000..0428cb63 --- /dev/null +++ b/src/freedombone-app-mumble @@ -0,0 +1,159 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# Mumble application +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# Password used for VoIP server +VOIP_SERVER_PASSWORD= +# Port on which VoIP server listens +VOIP_PORT=64738 + +# Location of VoIP database and configuration +VOIP_DATABASE="mumble-server.sqlite" +VOIP_CONFIG_FILE="mumble-server.ini" + +function get_voip_server_password { + if [ -f /home/$MY_USERNAME/README ]; then + if grep -q "VoIP server password" /home/$MY_USERNAME/README; then + if [ ! $VOIP_SERVER_PASSWORD ]; then + VOIP_SERVER_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "VoIP server password" | awk -F ':' '{print $2}' | sed 's/^ *//') + fi + else + if grep -q "Mumble server password" /home/$MY_USERNAME/README; then + if [ ! $VOIP_SERVER_PASSWORD ]; then + VOIP_SERVER_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "Mumble server password" | awk -F ':' '{print $2}' | sed 's/^ *//') + fi + fi + fi + fi +} + +function install_mumble { + if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then + return + fi + if grep -Fxq "install_mumble" $COMPLETION_FILE; then + return + fi + if grep -Fxq "install_voip" $COMPLETION_FILE; then + return + fi + apt-get -y install mumble-server + + function_check get_voip_server_password + get_voip_server_password + if [ ! $VOIP_SERVER_PASSWORD ]; then + if [ -f $IMAGE_PASSWORD_FILE ]; then + VOIP_SERVER_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)" + else + VOIP_SERVER_PASSWORD="$(create_password ${MINIMUM_PASSWORD_LENGTH})" + if [ ${#VOIP_SERVER_PASSWORD} -lt $MINIMUM_PASSWORD_LENGTH ]; then + VOIP_SERVER_PASSWORD="$(create_password ${MINIMUM_PASSWORD_LENGTH})" + fi + fi + fi + + # Make an ssl cert for the server + if [ ! -f /etc/ssl/certs/mumble.dhparam ]; then + ${PROJECT_NAME}-addcert -h mumble --dhkey $DH_KEYLENGTH + function_check check_certificates + check_certificates mumble + fi + + # Check that the cert was created + if [ ! -f /etc/ssl/certs/mumble.crt ]; then + echo $'VoIP server certificate not created' + exit 57892 + fi + if [ ! -f /etc/ssl/private/mumble.key ]; then + echo $'VoIP server key not created' + exit 57893 + fi + if [ ! -d /var/lib/mumble-server ]; then + mkdir /var/lib/mumble-server + fi + cp /etc/ssl/certs/mumble.* /var/lib/mumble-server + cp /etc/ssl/private/mumble.key /var/lib/mumble-server + chown -R mumble-server:mumble-server /var/lib/mumble-server + + sed -i "s|welcometext=.*|welcometext=\"
Welcome to $DEFAULT_DOMAIN_NAME VoIP.
Chat freely!
\"|g" /etc/mumble-server.ini + + if [[ $VOIP_SERVER_PASSWORD && $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then + sed -i "s|serverpassword=.*|serverpassword=$VOIP_SERVER_PASSWORD|g" /etc/mumble-server.ini + fi + + sed -i 's|#autobanAttempts.*|autobanAttempts = 10|g' /etc/mumble-server.ini + sed -i 's|#autobanTimeframe.*|autobanTimeframe = 120|g' /etc/mumble-server.ini + sed -i 's|#autobanTime.*|autobanTime = 300|g' /etc/mumble-server.ini + sed -i 's|#sendversion=.*|sendversion=False|g' /etc/mumble-server.ini + sed -i 's|sendversion=.*|sendversion=False|g' /etc/mumble-server.ini + if ! grep -q "allowping" /etc/mumble-server.ini; then + echo 'allowping=False' >> /etc/mumble-server.ini + fi + sed -i 's|allowping=.*|allowping=False|g' /etc/mumble-server.ini + sed -i 's|#sslCert=.*|sslCert=/var/lib/mumble-server/mumble.crt|g' /etc/mumble-server.ini + sed -i 's|#sslKey=.*|sslKey=/var/lib/mumble-server/mumble.key|g' /etc/mumble-server.ini + sed -i 's|#certrequired=.*|certrequired=True|g' /etc/mumble-server.ini + sed -i 's|users=100|users=10|g' /etc/mumble-server.ini + sed -i 's|#channelnestinglimit=10|channelnestinglimit=10|g' /etc/mumble-server.ini + sed -i 's|#textmessagelength=.*|textmessagelength=1000|g' /etc/mumble-server.ini + sed -i 's|textmessagelength=.*|textmessagelength=1000|g' /etc/mumble-server.ini + sed -i 's|#imagemessagelength=.*|imagemessagelength=131072|g' /etc/mumble-server.ini + sed -i 's|#allowhtml=.*|allowhtml=False|g' /etc/mumble-server.ini + sed -i 's|allowhtml=.*|allowhtml=False|g' /etc/mumble-server.ini + sed -i "s|port=.*|port=${VOIP_PORT}|g" /etc/mumble-server.ini + + VOIP_ONION_HOSTNAME=$(add_onion_service voip ${VOIP_PORT} ${VOIP_PORT}) + if ! grep -q $"VoIP onion domain" $COMPLETION_FILE; then + echo "VoIP onion domain:$VOIP_ONION_HOSTNAME" >> $COMPLETION_FILE + fi + + systemctl restart mumble-server + + if ! grep -q $"Mumble Server" /home/$MY_USERNAME/README; then + echo '' >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + echo $'Mumble Server' >> /home/$MY_USERNAME/README + echo '=============' >> /home/$MY_USERNAME/README + echo $"Mumble onion domain:$VOIP_ONION_HOSTNAME" >> /home/$MY_USERNAME/README + echo $'Mumble server username: mumble-server' >> /home/$MY_USERNAME/README + if [[ $SYSTEM_TYPE != "VARIANT_MESH" ]]; then + echo $"Mumble server password: $VOIP_SERVER_PASSWORD" >> /home/$MY_USERNAME/README + fi + echo '' >> /home/$MY_USERNAME/README + echo $'To connect to the Mumble server use your username and the server password shown above.' >> /home/$MY_USERNAME/README + chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README + chmod 600 /home/$MY_USERNAME/README + fi + + function_check configure_firewall_for_voip + configure_firewall_for_voip + echo 'install_mumble' >> $COMPLETION_FILE +} + +# NOTE: deliberately no exit 0 diff --git a/src/freedombone-app-rss b/src/freedombone-app-rss new file mode 100755 index 00000000..fbd4ed50 --- /dev/null +++ b/src/freedombone-app-rss @@ -0,0 +1,422 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# RSS reader application +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +RSS_READER_REPO="https://tt-rss.org/git/tt-rss.git" +RSS_READER_COMMIT='9e84bab449f9ed55e02e60378b0af1521026f3b8' +RSS_READER_ADMIN_PASSWORD= +RSS_READER_ONION_PORT=8092 +RSS_MOBILE_READER_ONION_PORT=8095 +RSS_READER_DOMAIN_NAME=ttrss +RSS_MOBILE_READER_REPO="https://github.com/mboinet/ttrss-mobile" +RSS_MOBILE_READER_COMMIT='d5242e1c269e9480ab3b66b7a38da3c892dfb326' +RSS_READER_PATH=/etc/share/tt-rss +RSS_READER_GNUSOCIAL_REPO="https://github.com/bashrc/ttrss-gnusocial" +RSS_READER_GNUSOCIAL_COMMIT='8b92b8f5db7b0d12459c7bd86a50f48815efe642' + +function rss_reader_modifications { + # modify the rss reader to use a socks5 proxy rather than a http proxy + if [ ! -d $RSS_READER_PATH ]; then + return + fi + + # ensure that socks5 proxy is used + if ! grep -q "CURLOPT_PROXYTYPE" $RSS_READER_PATH/plugins/af_unburn/init.php; then + sed -i '/curl_setopt($ch, CURLOPT_PROXY, _CURL_HTTP_PROXY);/a \\t\t\t\t\tcurl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);' $RSS_READER_PATH/plugins/af_unburn/init.php + fi + if ! grep -q "CURLOPT_PROXYTYPE" $RSS_READER_PATH/include/functions.php; then + sed -i '/curl_setopt($ch, CURLOPT_PROXY, _CURL_HTTP_PROXY);/a \\t\t\t\tcurl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);' $RSS_READER_PATH/include/functions.php + fi + chown -R www-data:www-data $RSS_READER_PATH + chmod a+x $RSS_READER_PATH +} + +function install_rss_reader { + if [[ $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + + # update to the next commit + function_check set_repo_commit + set_repo_commit $RSS_READER_PATH "RSS reader commit" "$RSS_READER_COMMIT" $RSS_READER_REPO + + if grep -Fxq "install_rss_reader" $COMPLETION_FILE; then + return + fi + + apt-get -y install php-gettext php5-curl php5-gd php5-mysql git curl php-xml-parser + + if [ ! -d /etc/share ]; then + mkdir /etc/share + fi + cd /etc/share + function_check git_clone + git_clone $RSS_READER_REPO tt-rss + if [ ! -d $RSS_READER_PATH ]; then + echo $'Could not clone RSS reader repo' + exit 52925 + fi + cd $RSS_READER_PATH + git checkout $RSS_READER_COMMIT -b $RSS_READER_COMMIT + if ! grep -q "RSS reader commit" $COMPLETION_FILE; then + echo "RSS reader commit:$RSS_READER_COMMIT" >> $COMPLETION_FILE + fi + + function_check install_mariadb + install_mariadb + + function_check get_mariadb_password + get_mariadb_password + + function_check repair_databases_script + repair_databases_script + + function_check get_mariadb_rss_reader_admin_password + get_mariadb_rss_reader_admin_password + if [ ! $RSS_READER_ADMIN_PASSWORD ]; then + if [ -f $IMAGE_PASSWORD_FILE ]; then + RSS_READER_ADMIN_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)" + else + RSS_READER_ADMIN_PASSWORD="$(create_password ${MINIMUM_PASSWORD_LENGTH})" + fi + fi + + function_check create_database + create_database ttrss "$RSS_READER_ADMIN_PASSWORD" $MY_USERNAME + + RSS_READER_ONION_HOSTNAME=$(add_onion_service ttrss 80 ${RSS_READER_ONION_PORT}) + RSS_MOBILE_READER_ONION_HOSTNAME=$(add_onion_service ttrss 80 ${RSS_MOBILE_READER_ONION_PORT}) + + echo 'server {' > /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo " listen 127.0.0.1:$RSS_MOBILE_READER_ONION_PORT;" >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo " server_name $RSS_MOBILE_READER_ONION_HOSTNAME;" >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' access_log off;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' error_log off;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' root /etc/share/ttrss-mobile;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' index index.html index.php;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' location ~ \.php {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' include snippets/fastcgi-php.conf;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' location / {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' try_files $uri $uri/ @ttrss;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' location /tt-rss {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' try_files $uri $uri/ @ttrss_base;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' location @ttrss {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' rewrite ^(.*)$ /index.html?p=$1 last;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' location @ttrss_base {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' rewrite ^(.*)$ /index.php?p=$1 last;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' location ~ /\.(git) {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' deny all;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' client_max_body_size 15m;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo '}' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo 'server {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo " listen 127.0.0.1:$RSS_READER_ONION_PORT default_server;" >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo " server_name $RSS_READER_ONION_HOSTNAME;" >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' access_log off;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' error_log off;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' root /etc/share/tt-rss;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' index index.php;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' location ~ \.php {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' include snippets/fastcgi-php.conf;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' set $mobile_rewrite do_not_perform;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' ## chi http_user_agent for mobile / smart phones ##' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' if ($http_user_agent ~* "(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows (ce|phone)|xda|xiino") {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' set $mobile_rewrite perform;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' if ($http_user_agent ~* "^(1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-)") {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' set $mobile_rewrite perform;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' if ($mobile_rewrite = perform) {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo " rewrite ^/(.*) http://$RSS_MOBILE_READER_ONION_HOSTNAME permanent;" >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' break;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' location ~ \.php {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' include snippets/fastcgi-php.conf;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' location / {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' try_files $uri $uri/ @ttrss;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' location @ttrss {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' rewrite ^(.*)$ /index.php?p=$1 last;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' location ~ /\.(git) {' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' deny all;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo ' client_max_body_size 15m;' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + echo '}' >> /etc/nginx/sites-available/$RSS_READER_DOMAIN_NAME + + if [ ! -f $RSS_READER_PATH/config.php ]; then + # generate a config file + RSS_FEED_CRYPT_KEY="$(create_password 24)" + echo ' $RSS_READER_PATH/config.php + echo " define ('_CURL_HTTP_PROXY', '127.0.0.1:9050');" >> $RSS_READER_PATH/config.php + echo " define('DB_TYPE', 'mysql');" >> $RSS_READER_PATH/config.php + echo " define('DB_HOST', 'localhost');" >> $RSS_READER_PATH/config.php + echo " define('DB_USER', 'root');" >> $RSS_READER_PATH/config.php + echo " define('DB_NAME', 'ttrss');" >> $RSS_READER_PATH/config.php + echo " define('DB_PASS', '${MARIADB_PASSWORD}');" >> $RSS_READER_PATH/config.php + echo " define('DB_PORT', '3306');" >> $RSS_READER_PATH/config.php + echo " define('MYSQL_CHARSET', 'UTF8');" >> $RSS_READER_PATH/config.php + echo " define('SELF_URL_PATH', 'http://${RSS_READER_ONION_HOSTNAME}/');" >> $RSS_READER_PATH/config.php + echo " define('FEED_CRYPT_KEY', '${RSS_FEED_CRYPT_KEY}');" >> $RSS_READER_PATH/config.php + echo " define('SINGLE_USER_MODE', false);" >> $RSS_READER_PATH/config.php + echo " define('SIMPLE_UPDATE_MODE', false);" >> $RSS_READER_PATH/config.php + echo " define('PHP_EXECUTABLE', '/usr/bin/php');" >> $RSS_READER_PATH/config.php + echo " define('LOCK_DIRECTORY', 'lock');" >> $RSS_READER_PATH/config.php + echo " define('CACHE_DIR', 'cache');" >> $RSS_READER_PATH/config.php + echo " define('ICONS_DIR', \"feed-icons\");" >> $RSS_READER_PATH/config.php + echo " define('ICONS_URL', \"feed-icons\");" >> $RSS_READER_PATH/config.php + echo " define('AUTH_AUTO_CREATE', true);" >> $RSS_READER_PATH/config.php + echo " define('AUTH_AUTO_LOGIN', true);" >> $RSS_READER_PATH/config.php + echo " define('FORCE_ARTICLE_PURGE', 0);" >> $RSS_READER_PATH/config.php + echo " define('PUBSUBHUBBUB_HUB', '');" >> $RSS_READER_PATH/config.php + echo " define('PUBSUBHUBBUB_ENABLED', false);" >> $RSS_READER_PATH/config.php + echo " define('SPHINX_SERVER', 'localhost:9312');" >> $RSS_READER_PATH/config.php + echo " define('SPHINX_INDEX', 'ttrss, delta');" >> $RSS_READER_PATH/config.php + echo " define('ENABLE_REGISTRATION', false);" >> $RSS_READER_PATH/config.php + echo " define('REG_NOTIFY_ADDRESS', '${MY_EMAIL_ADDRESS}');" >> $RSS_READER_PATH/config.php + echo " define('REG_MAX_USERS', 10);" >> $RSS_READER_PATH/config.php + echo " define('SESSION_COOKIE_LIFETIME', 86400);" >> $RSS_READER_PATH/config.php + echo " define('SMTP_FROM_NAME', 'Tiny Tiny RSS');" >> $RSS_READER_PATH/config.php + echo " define('SMTP_FROM_ADDRESS', 'noreply@${RSS_READER_ONION_HOSTNAME}');" >> $RSS_READER_PATH/config.php + echo " define('DIGEST_SUBJECT', '[tt-rss] New headlines for last 24 hours');" >> $RSS_READER_PATH/config.php + echo " define('SMTP_SERVER', '');" >> $RSS_READER_PATH/config.php + echo " define('SMTP_LOGIN', '');" >> $RSS_READER_PATH/config.php + echo " define('SMTP_PASSWORD', '');" >> $RSS_READER_PATH/config.php + echo " define('SMTP_SECURE', '');" >> $RSS_READER_PATH/config.php + echo " define('CHECK_FOR_UPDATES', false);" >> $RSS_READER_PATH/config.php + echo " define('ENABLE_GZIP_OUTPUT', false);" >> $RSS_READER_PATH/config.php + echo " define('PLUGINS', 'auth_internal, note, gnusocial');" >> $RSS_READER_PATH/config.php + echo " define('LOG_DESTINATION', 'sql');" >> $RSS_READER_PATH/config.php + echo " define('CONFIG_VERSION', 26);" >> $RSS_READER_PATH/config.php + fi + + # initialize the database + if [ ! -f $RSS_READER_PATH/schema/ttrss_schema_mysql.sql ]; then + echo $'No database schema found for rss reader' + exit 52926 + fi + initialise_database ttrss $RSS_READER_PATH/schema/ttrss_schema_mysql.sql + + # change the password from the default + RSS_READER_ADMIN_PASSWORD_HASH=$(echo -n "${RSS_READER_ADMIN_PASSWORD}" | sha1sum | awk -F ' ' '{print $1}') + + function_check run_query + run_query ttrss "update ttrss_users set pwd_hash = 'SHA1:${RSS_READER_ADMIN_PASSWORD_HASH}', salt= '' WHERE login = 'admin';" + + function_check rss_reader_modifications + rss_reader_modifications + + function_check configure_php + configure_php + + nginx_ensite $RSS_READER_DOMAIN_NAME + systemctl restart php5-fpm + systemctl restart nginx + + if ! grep -q "RSS reader onion domain" $COMPLETION_FILE; then + echo "RSS reader onion domain:${RSS_READER_ONION_HOSTNAME}" >> $COMPLETION_FILE + fi + if ! grep -q "RSS reader domain" $COMPLETION_FILE; then + echo "RSS reader domain:${RSS_READER_DOMAIN_NAME}" >> $COMPLETION_FILE + fi + + # daemon to update feeds + echo '[Unit]' > /etc/systemd/system/ttrss.service + echo 'Description=ttrss_backend' >> /etc/systemd/system/ttrss.service + echo 'After=network.target mysql.service' >> /etc/systemd/system/ttrss.service + echo 'After=tor.service' >> /etc/systemd/system/ttrss.service + echo '' >> /etc/systemd/system/ttrss.service + echo '[Service]' >> /etc/systemd/system/ttrss.service + echo 'User=www-data' >> /etc/systemd/system/ttrss.service + echo "ExecStart=/usr/bin/php $RSS_READER_PATH/update.php --daemon" >> /etc/systemd/system/ttrss.service + echo '' >> /etc/systemd/system/ttrss.service + echo '[Install]' >> /etc/systemd/system/ttrss.service + echo 'WantedBy=multi-user.target' >> /etc/systemd/system/ttrss.service + systemctl enable ttrss + systemctl daemon-reload + systemctl start ttrss + + # some post-install instructions for the user + if ! grep -q $"RSS Reader" /home/$MY_USERNAME/README; then + echo '' >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + echo $'RSS Reader' >> /home/$MY_USERNAME/README + echo '==========' >> /home/$MY_USERNAME/README + echo $"RSS reader domain: ${RSS_READER_DOMAIN_NAME}" >> /home/$MY_USERNAME/README + echo $"RSS reader onion domain: ${RSS_READER_ONION_HOSTNAME}" >> /home/$MY_USERNAME/README + echo $"RSS reader admin username: admin" >> /home/$MY_USERNAME/README + echo $"RSS reader admin password: ${RSS_READER_ADMIN_PASSWORD}" >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README + chmod 600 /home/$MY_USERNAME/README + fi + + echo 'install_rss_reader' >> $COMPLETION_FILE +} + +function install_rss_reader_gnusocial { + if [[ $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + + if [ ! $MICROBLOG_DOMAIN_NAME ]; then + return + fi + + if [ ! $RSS_READER_PATH ]; then + RSS_READER_PATH=/etc/share/tt-rss + fi + RSS_READER_GNUSOCIAL_PATH=${RSS_READER_PATH}/plugins/gnusocial + + # update to the next commit + function_check set_repo_commit + set_repo_commit $RSS_READER_GNUSOCIAL_PATH "RSS reader gnusocial commit" "$RSS_READER_GNUSOCIAL_COMMIT" $RSS_READER_GNUSOCIAL_REPO + chown -R www-data:www-data $RSS_READER_GNUSOCIAL_PATH + + if grep -Fxq "install_rss_reader_gnusocial" $COMPLETION_FILE; then + return + fi + + if [ ! -d $INSTALL_DIR ]; then + mkdir -p $INSTALL_DIR + fi + + cd $INSTALL_DIR + function_check git_clone + git_clone $RSS_READER_GNUSOCIAL_REPO ttrss-gnusocial + if [ ! -d $INSTALL_DIR/ttrss-gnusocial ]; then + echo $'Could not clone repo for RSS reader GNU Social plugin' + exit 52838 + fi + cp -r $INSTALL_DIR/ttrss-gnusocial $RSS_READER_GNUSOCIAL_PATH + cd $RSS_READER_GNUSOCIAL_PATH + git checkout $RSS_READER_GNUSOCIAL_COMMIT -b $RSS_READER_GNUSOCIAL_COMMIT + if ! grep -q "RSS reader gnusocial commit" $COMPLETION_FILE; then + echo "RSS reader gnusocial commit:$RSS_READER_GNUSOCIAL_COMMIT" >> $COMPLETION_FILE + fi + chown -R www-data:www-data $RSS_READER_GNUSOCIAL_PATH + + echo 'install_rss_reader_gnusocial' >> $COMPLETION_FILE +} + +function install_rss_mobile_reader { + if [[ $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + + if [ ! $RSS_READER_PATH ]; then + RSS_READER_PATH=/etc/share/tt-rss + fi + + if [ ! -d $RSS_READER_PATH ]; then + echo $'tt-rss is not installed, so the mobile version cannot be installed' + exit 63452 + fi + + RSS_MOBILE_READER_PATH=/etc/share/ttrss-mobile + + # remove any previous install + if [ -d $RSS_READER_PATH/g2ttree-mobile ]; then + if grep -Fxq "install_rss_mobile_reader" $COMPLETION_FILE; then + sed -i '/install_rss_mobile_reader/d' $COMPLETION_FILE + sed -i '/RSS mobile reader commit/d' $COMPLETION_FILE + rm -rf $RSS_READER_PATH/g2ttree-mobile + fi + fi + + # update to the next commit + function_check set_repo_commit + set_repo_commit $RSS_MOBILE_READER_PATH "RSS mobile reader commit" "$RSS_MOBILE_READER_COMMIT" $RSS_MOBILE_READER_REPO + + if grep -Fxq "install_rss_mobile_reader" $COMPLETION_FILE; then + return + fi + + cd /etc/share + function_check git_clone + git_clone $RSS_MOBILE_READER_REPO ttrss-mobile + if [ ! -d $RSS_MOBILE_READER_PATH ]; then + echo $'Could not clone RSS mobile reader repo' + exit 24816 + fi + cd $RSS_MOBILE_READER_PATH + git checkout $RSS_MOBILE_READER_COMMIT -b $RSS_MOBILE_READER_COMMIT + if ! grep -q "RSS mobile reader commit" $COMPLETION_FILE; then + echo "RSS mobile reader commit:$RSS_MOBILE_READER_COMMIT" >> $COMPLETION_FILE + fi + + echo 'define({' > $RSS_MOBILE_READER_PATH/scripts/conf.js + echo ' apiPath: "/tt-rss/"' >> $RSS_MOBILE_READER_PATH/scripts/conf.js + echo '});' >> $RSS_MOBILE_READER_PATH/scripts/conf.js + + # link to the main site + ln -s $RSS_READER_PATH $RSS_MOBILE_READER_PATH/tt-rss + + chown -R www-data:www-data $RSS_MOBILE_READER_PATH + chown -R www-data:www-data $RSS_READER_PATH + chmod a+x $RSS_MOBILE_READER_PATH + + echo 'install_rss_mobile_reader' >> $COMPLETION_FILE +} + +# NOTE: deliberately no exit 0 diff --git a/src/freedombone-app-search b/src/freedombone-app-search new file mode 100755 index 00000000..bbc3e04f --- /dev/null +++ b/src/freedombone-app-search @@ -0,0 +1,248 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# Search engine application +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +SEARCH_ENGINE_REPO="https://github.com/asciimoo/searx" +SEARCH_ENGINE_COMMIT='fee556c9904637051a9ba874ba7e71cd9f10789f' +SEARCH_ENGINE_PATH=/etc +SEARCH_ENGINE_ONION_PORT=8094 +SEARCH_ENGINE_ONION_HOSTNAME= +SEARCH_ENGINE_LOGIN_TEXT=$"Search engine login" +SEARCH_ENGINE_PASSWORD= + +function install_search_engine { + # Note: currently socks5 outgoing proxies to other search engines does not work + if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + if [ ! -d /etc/nginx ]; then + echo $'Webserver is not installed' + exit 62429 + fi + + # update to a new commit if needed + set_repo_commit $SEARCH_ENGINE_PATH/searx "Search engine commit" "$SEARCH_ENGINE_COMMIT" $SEARCH_ENGINE_REPO + if grep "Search engine key" $COMPLETION_FILE; then + if [ -f ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml ]; then + # note: this might change to a --tor option in a later version + if ! grep 'socks5://127.0.0.1:9050' ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml; then + echo 'outgoing: # communication with search engines' >> ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml + echo ' proxies:' >> ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml + echo ' http : socks5://127.0.0.1:9050' >> ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml + echo ' https: socks5://127.0.0.1:9050' >> ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml + fi + SEARCH_ENGINE_SECRET_KEY=$(cat $COMPLETION_FILE | grep "Search engine key" | awk -F ':' '{print $2}') + sed -i "s|secret_key.*|secret_key : \"${SEARCH_ENGINE_SECRET_KEY}\"|g" ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml + if [ -f /var/lib/tor/hidden_service_searx/hostname ]; then + SEARCH_ENGINE_ONION_HOSTNAME=$(echo /var/lib/tor/hidden_service_searx/hostname) + sed -i '0,/RE/s/base_url.*/base_url : \"http://${SEARCH_ENGINE_ONION_HOSTNAME}\/' ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml + fi + fi + fi + + if grep -Fxq "install_search_engine" $COMPLETION_FILE; then + return + fi + + apt-get -y install python-pip libyaml-dev python-werkzeug python-babel python-lxml apache2-utils + apt-get -y install git build-essential libxslt-dev python-dev python-virtualenv python-pybabel zlib1g-dev uwsgi uwsgi-plugin-python libapache2-mod-uwsgi + + pip install --upgrade pip + + pip install certifi + if [ ! "$?" = "0" ]; then + echo $'Failed to install certifi' + exit 737692 + fi + + pip install pyyaml + if [ ! "$?" = "0" ]; then + echo $'Failed to install pyyaml' + exit 469242 + fi + + pip install flask --upgrade + if [ ! "$?" = "0" ]; then + echo $'Failed to install flask' + exit 888575 + fi + + pip install flask_restless --upgrade + if [ ! "$?" = "0" ]; then + echo $'Failed to install flask_restless' + exit 54835 + fi + + pip install flask_babel --upgrade + if [ ! "$?" = "0" ]; then + echo $'Failed to install flask_babel' + exit 63738 + fi + + if [ ! -d $SEARCH_ENGINE_PATH ]; then + mkdir -p $SEARCH_ENGINE_PATH + fi + + # clone the repo + cd $SEARCH_ENGINE_PATH + function_check git_clone + git_clone $SEARCH_ENGINE_REPO searx + git checkout $SEARCH_ENGINE_COMMIT -b $SEARCH_ENGINE_COMMIT + if ! grep -q "Search engine commit" $COMPLETION_FILE; then + echo "Search engine commit:$SEARCH_ENGINE_COMMIT" >> $COMPLETION_FILE + else + sed -i "s/Search engine commit.*/Search engine commit:$SEARCH_ENGINE_COMMIT/g" $COMPLETION_FILE + fi + + # create an onion service + SEARCH_ENGINE_ONION_HOSTNAME=$(add_onion_service searx 80 ${SEARCH_ENGINE_ONION_PORT}) + if ! grep "Search engine onion domain" $COMPLETION_FILE; then + echo "Search engine onion domain:${SEARCH_ENGINE_ONION_HOSTNAME}" >> $COMPLETION_FILE + else + sed -i "s|Search engine onion domain.*|Search engine onion domain:${SEARCH_ENGINE_ONION_HOSTNAME}|g" $COMPLETION_FILE + fi + + # an unprivileged user to run as + useradd -d ${SEARCH_ENGINE_PATH}/searx/ -s /bin/false searx + adduser searx debian-tor + + # daemon + echo '[Unit]' > /etc/systemd/system/searx.service + echo 'Description=Searx (search engine)' >> /etc/systemd/system/searx.service + echo 'After=syslog.target' >> /etc/systemd/system/searx.service + echo 'After=network.target' >> /etc/systemd/system/searx.service + echo '' >> /etc/systemd/system/searx.service + echo '[Service]' >> /etc/systemd/system/searx.service + echo 'Type=simple' >> /etc/systemd/system/searx.service + echo 'User=searx' >> /etc/systemd/system/searx.service + echo 'Group=searx' >> /etc/systemd/system/searx.service + echo "WorkingDirectory=${SEARCH_ENGINE_PATH}/searx" >> /etc/systemd/system/searx.service + echo "ExecStart=/usr/bin/python ${SEARCH_ENGINE_PATH}/searx/searx/webapp.py" >> /etc/systemd/system/searx.service + echo 'Restart=always' >> /etc/systemd/system/searx.service + echo 'Environment="USER=searx"' >> /etc/systemd/system/searx.service + echo '' >> /etc/systemd/system/searx.service + echo '[Install]' >> /etc/systemd/system/searx.service + echo 'WantedBy=multi-user.target' >> /etc/systemd/system/searx.service + + # create a webserver file + echo 'server {' > /etc/nginx/sites-available/searx + echo " listen 127.0.0.1:${SEARCH_ENGINE_ONION_PORT} default_server;" >> /etc/nginx/sites-available/searx + echo " root ${SEARCH_ENGINE_PATH}/searx;" >> /etc/nginx/sites-available/searx + echo " server_name ${SEARCH_ENGINE_ONION_HOSTNAME};" >> /etc/nginx/sites-available/searx + echo ' access_log off;' >> /etc/nginx/sites-available/searx + echo " error_log /var/log/searx_error.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/searx + echo '' >> /etc/nginx/sites-available/searx + function_check nginx_limits + nginx_limits searx '1M' + function_check nginx_disable_sniffing + nginx_disable_sniffing searx + echo ' add_header Strict-Transport-Security max-age=0;' >> /etc/nginx/sites-available/searx + echo '' >> /etc/nginx/sites-available/searx + echo ' location / {' >> /etc/nginx/sites-available/searx + echo ' proxy_pass http://localhost:8888;' >> /etc/nginx/sites-available/searx + echo ' proxy_set_header Host $host;' >> /etc/nginx/sites-available/searx + echo ' proxy_set_header X-Real-IP $remote_addr;' >> /etc/nginx/sites-available/searx + echo ' proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;' >> /etc/nginx/sites-available/searx + echo ' proxy_set_header X-Remote-Port $remote_port;' >> /etc/nginx/sites-available/searx + echo ' proxy_set_header X-Forwarded-Proto $scheme;' >> /etc/nginx/sites-available/searx + echo ' proxy_redirect off;' >> /etc/nginx/sites-available/searx + + echo " auth_basic \"${SEARCH_ENGINE_LOGIN_TEXT}\";" >> /etc/nginx/sites-available/searx + echo ' auth_basic_user_file /etc/nginx/.htpasswd;' >> /etc/nginx/sites-available/searx + echo ' }' >> /etc/nginx/sites-available/searx + echo '' >> /etc/nginx/sites-available/searx + echo ' fastcgi_buffers 64 4K;' >> /etc/nginx/sites-available/searx + echo '' >> /etc/nginx/sites-available/searx + echo ' error_page 403 /core/templates/403.php;' >> /etc/nginx/sites-available/searx + echo ' error_page 404 /core/templates/404.php;' >> /etc/nginx/sites-available/searx + echo '' >> /etc/nginx/sites-available/searx + echo ' location = /robots.txt {' >> /etc/nginx/sites-available/searx + echo ' allow all;' >> /etc/nginx/sites-available/searx + echo ' log_not_found off;' >> /etc/nginx/sites-available/searx + echo ' access_log off;' >> /etc/nginx/sites-available/searx + echo ' }' >> /etc/nginx/sites-available/searx + echo '}' >> /etc/nginx/sites-available/searx + + # replace the secret key + if ! grep "Search engine key" $COMPLETION_FILE; then + SEARCH_ENGINE_SECRET_KEY="$(create_password 30)" + echo "Search engine key:${SEARCH_ENGINE_SECRET_KEY}" >> $COMPLETION_FILE + else + SEARCH_ENGINE_SECRET_KEY=$(cat $COMPLETION_FILE | grep "Search engine key" | awk -F ':' '{print $2}') + fi + sed -i "s|secret_key.*|secret_key : \"${SEARCH_ENGINE_SECRET_KEY}\"|g" ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml + sed -i "s|secret_key.*|secret_key : \"${SEARCH_ENGINE_SECRET_KEY}\"|g" ${SEARCH_ENGINE_PATH}/searx/searx/settings_robot.yml + sed -i '0,/RE/s/base_url.*/base_url : \"http://${SEARCH_ENGINE_ONION_HOSTNAME}\/' ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml + sed -i '0,/RE/s/base_url.*/base_url : \"http://${SEARCH_ENGINE_ONION_HOSTNAME}\/' ${SEARCH_ENGINE_PATH}/searx/searx/settings_robot.yml + + # note: this might change to a --tor option in a later version + if ! grep 'socks5://127.0.0.1:9050' ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml; then + echo 'outgoing: # communication with search engines' >> ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml + echo ' proxies:' >> ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml + echo ' http : socks5://127.0.0.1:9050' >> ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml + echo ' https: socks5://127.0.0.1:9050' >> ${SEARCH_ENGINE_PATH}/searx/searx/settings.yml + fi + + chown -R searx:searx ${SEARCH_ENGINE_PATH}/searx + + # enable the site + nginx_ensite searx + + # restart the web server + systemctl restart php5-fpm + systemctl restart nginx + + # start the daemon + systemctl enable searx.service + systemctl daemon-reload + systemctl start searx.service + + if ! grep -q "Your search engine password is" /home/$MY_USERNAME/README; then + if [ ${#SEARCH_ENGINE_PASSWORD} -lt 8 ]; then + if [ -f $IMAGE_PASSWORD_FILE ]; then + SEARCH_ENGINE_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)" + else + SEARCH_ENGINE_PASSWORD="$(create_password ${MINIMUM_PASSWORD_LENGTH})" + fi + fi + echo "$SEARCH_ENGINE_PASSWORD" | htpasswd -i -s -c /etc/nginx/.htpasswd $MY_USERNAME + echo '' >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + echo $'Search Engine' >> /home/$MY_USERNAME/README + echo '=============' >> /home/$MY_USERNAME/README + echo $"Search engine onion domain: ${SEARCH_ENGINE_ONION_HOSTNAME}" >> /home/$MY_USERNAME/README + echo $"Your search engine password is: $SEARCH_ENGINE_PASSWORD" >> /home/$MY_USERNAME/README + chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README + chmod 600 /home/$MY_USERNAME/README + fi + + echo 'install_search_engine' >> $COMPLETION_FILE +} + +# NOTE: deliberately no exit 0 diff --git a/src/freedombone-app-sip b/src/freedombone-app-sip new file mode 100755 index 00000000..312b7436 --- /dev/null +++ b/src/freedombone-app-sip @@ -0,0 +1,318 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# SIP functions +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +SIP_SERVER_PASSWORD= +SIP_PORT=5060 +SIP_TLS_PORT=5061 +VOIP_TURN_PORT=3478 +VOIP_TURN_TLS_PORT=5349 +VOIP_TURN_NONCE= + +function get_sip_server_password { + if [ -f /home/$MY_USERNAME/README ]; then + if grep -q "SIP server password" /home/$MY_USERNAME/README; then + if [ ! $SIP_SERVER_PASSWORD ]; then + SIP_SERVER_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "SIP server password" | awk -F ':' '{print $2}' | sed 's/^ *//') + fi + fi + fi +} + +function update_sipwitch_daemon { + if [ ! -f /etc/init.d/sipwitch ]; then + return + fi + service sipwitch stop + + # remove the original sipwitch daemon if it exists + if [ -f /etc/init.d/sipwitch ]; then + rm -f /etc/init.d/sipwitch + fi + + # daemon + echo '[Unit]' > /etc/systemd/system/sipwitch.service + echo 'Description=GNU SIP Witch, a SIP telephony service daemon.' >> /etc/systemd/system/sipwitch.service + echo 'After=network.target' >> /etc/systemd/system/sipwitch.service + echo '' >> /etc/systemd/system/sipwitch.service + echo '[Service]' >> /etc/systemd/system/sipwitch.service + echo 'Type=simple' >> /etc/systemd/system/sipwitch.service + echo 'Group=sipwitch' >> /etc/systemd/system/sipwitch.service + echo 'PIDFile=/var/run/sipwitch/pidfile' >> /etc/systemd/system/sipwitch.service + echo 'EnvironmentFile=-/etc/conf.d/sipwitch' >> /etc/systemd/system/sipwitch.service + echo 'EnvironmentFile=-/etc/sipwitch.conf' >> /etc/systemd/system/sipwitch.service + echo 'EnvironmentFile=-/etc/default/sipwitch' >> /etc/systemd/system/sipwitch.service + echo 'ExecStartPre=-/bin/rm -f /var/run/sipwitch/control' >> /etc/systemd/system/sipwitch.service + echo "ExecStart=/usr/sbin/sipw -f \$OPTIONS -P$SIP_PORT" >> /etc/systemd/system/sipwitch.service + echo 'Restart=always' >> /etc/systemd/system/sipwitch.service + echo 'NotifyAccess=main' >> /etc/systemd/system/sipwitch.service + echo '' >> /etc/systemd/system/sipwitch.service + echo '[Install]' >> /etc/systemd/system/sipwitch.service + echo 'WantedBy=multi-user.target' >> /etc/systemd/system/sipwitch.service + + systemctl enable sipwitch + systemctl daemon-reload + systemctl start sipwitch +} + +function install_sip { + if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then + return + fi + if grep -Fxq "install_sip" $COMPLETION_FILE; then + return + fi + + apt-get -y install sipwitch + + function_check get_sip_server_password + get_sip_server_password + if [ ! $SIP_SERVER_PASSWORD ]; then + if [ -f $IMAGE_PASSWORD_FILE ]; then + SIP_SERVER_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)" + else + SIP_SERVER_PASSWORD="$(create_password ${MINIMUM_PASSWORD_LENGTH})" + fi + fi + + echo '' > /etc/sipwitch.conf + echo '' >> /etc/sipwitch.conf + echo '' >> /etc/sipwitch.conf + + echo "" >> /etc/sipwitch.conf + echo '201' >> /etc/sipwitch.conf + echo "$SIP_SERVER_PASSWORD" >> /etc/sipwitch.conf + echo "$MY_USERNAME 201" >> /etc/sipwitch.conf + echo '' >> /etc/sipwitch.conf + + echo '' >> /etc/sipwitch.conf + echo '' >> /etc/sipwitch.conf + echo '' >> /etc/sipwitch.conf + echo '' >> /etc/sipwitch.conf + echo " $DEFAULT_DOMAIN_NAME" >> /etc/sipwitch.conf + echo ' 200' >> /etc/sipwitch.conf + echo ' 2' >> /etc/sipwitch.conf + echo ' *' >> /etc/sipwitch.conf + echo ' false' >> /etc/sipwitch.conf + echo ' system' >> /etc/sipwitch.conf + echo ' anonymous' >> /etc/sipwitch.conf + echo '' >> /etc/sipwitch.conf + echo '' >> /etc/sipwitch.conf + echo ' ' >> /etc/sipwitch.conf + echo ' 4' >> /etc/sipwitch.conf + echo ' ' >> /etc/sipwitch.conf + echo ' 4' >> /etc/sipwitch.conf + echo ' ' >> /etc/sipwitch.conf + echo ' 6' >> /etc/sipwitch.conf + echo '' >> /etc/sipwitch.conf + echo '' >> /etc/sipwitch.conf + echo '' >> /etc/sipwitch.conf + echo ' 200' >> /etc/sipwitch.conf + echo ' 100' >> /etc/sipwitch.conf + echo ' 77' >> /etc/sipwitch.conf + echo ' 200' >> /etc/sipwitch.conf + echo ' ' >> /etc/sipwitch.conf + echo '' >> /etc/sipwitch.conf + echo '' >> /etc/sipwitch.conf + echo '' >> /etc/sipwitch.conf + echo '' >> /etc/sipwitch.conf + + sed -i 's|#PLUGINS=|PLUGINS=|g' /etc/default/sipwitch + sed -i 's|PLUGINS=.*|PLUGINS="zeroconf subscriber forward"|g' /etc/default/sipwitch + groupadd sipwitch + usermod -aG sipwitch $MY_USERNAME + + SIP_ONION_HOSTNAME=$(add_onion_service sip ${SIP_PORT} ${SIP_PORT}) + if ! grep -q $"SIP onion domain" $COMPLETION_FILE; then + echo "SIP onion domain:$SIP_ONION_HOSTNAME" >> $COMPLETION_FILE + fi + + if ! grep -q $"SIP Server" /home/$MY_USERNAME/README; then + echo '' >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + echo $'SIP Server' >> /home/$MY_USERNAME/README + echo '==========' >> /home/$MY_USERNAME/README + echo $"SIP onion_domain: $SIP_ONION_HOSTNAME" >> /home/$MY_USERNAME/README + echo $"SIP server username: $MY_USERNAME" >> /home/$MY_USERNAME/README + echo $"SIP server extension: 201" >> /home/$MY_USERNAME/README + echo $"SIP server password: $SIP_SERVER_PASSWORD" >> /home/$MY_USERNAME/README + chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README + chmod 600 /home/$MY_USERNAME/README + fi + + function_check configure_firewall_for_sip4 + configure_firewall_for_sip4 + echo 'install_sip' >> $COMPLETION_FILE +} + +function install_sip_turn { + if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then + return + fi + if grep -Fxq "install_sip_turn" $COMPLETION_FILE; then + return + fi + + apt-get -y install turnserver + + # create a nonce if needed + if [ ! $VOIP_TURN_NONCE ]; then + VOIP_TURN_NONCE="$(create_password 30)" + fi + + function_check create_site_certificate + create_site_certificate $DEFAULT_DOMAIN_NAME + + echo '##' > /etc/turnserver/turnserver.conf + echo '# TurnServer configuration file.' >> /etc/turnserver/turnserver.conf + echo '#' >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## Public IPv4 address of any relayed address (if not set, no relay for IPv4).' >> /etc/turnserver/turnserver.conf + echo '## To have multiple address, separate addresses with a comma' >> /etc/turnserver/turnserver.conf + echo '## (i.e. listen_address = { "172.16.0.1", "172.17.0.1" }).' >> /etc/turnserver/turnserver.conf + echo "listen_address = { \"192.168.0.1\" }" >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## Public IPv6 address of any relayed address (if not set, no relay for IPv6).' >> /etc/turnserver/turnserver.conf + echo '## To have multiple address, separate address with a comma' >> /etc/turnserver/turnserver.conf + echo '## (i.e. listen_addressv6 = { "2001:db8:1::1", "2001:db8:2::1" }).' >> /etc/turnserver/turnserver.conf + echo "#listen_addressv6 = { \"2001:db8::1\" }" >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## UDP listening port.' >> /etc/turnserver/turnserver.conf + echo "udp_port = $VOIP_TURN_PORT" >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## TCP listening port.' >> /etc/turnserver/turnserver.conf + echo "tcp_port = $VOIP_TURN_PORT" >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## TLS listening port.' >> /etc/turnserver/turnserver.conf + echo "tls_port = $VOIP_TURN_TLS_PORT" >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## TLS support.' >> /etc/turnserver/turnserver.conf + echo 'tls = true' >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## DTLS support. It is an experimental feature and is not defined in TURN' >> /etc/turnserver/turnserver.conf + echo '## standard.' >> /etc/turnserver/turnserver.conf + echo 'dtls = false' >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## Maximum allocation port number.' >> /etc/turnserver/turnserver.conf + echo 'max_port = 65535' >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## Minimum allocation port number.' >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo 'min_port = 49152' >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## TURN-TCP support.' >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo 'turn_tcp = true' >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## TURN-TCP buffering mode:' >> /etc/turnserver/turnserver.conf + echo '## - true, use userspace buffering;' >> /etc/turnserver/turnserver.conf + echo '## - false, use kernel buffering.' >> /etc/turnserver/turnserver.conf + echo 'tcp_buffer_userspace = true' >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## TURN-TCP maximum buffer size.' >> /etc/turnserver/turnserver.conf + echo 'tcp_buffer_size = 32768' >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## Daemon mode.' >> /etc/turnserver/turnserver.conf + echo 'daemon = true' >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## Unprivileged user.' >> /etc/turnserver/turnserver.conf + echo '## If you want to use this feature create a system user.' >> /etc/turnserver/turnserver.conf + echo '## On Linux: adduser --system --group turnserver' >> /etc/turnserver/turnserver.conf + echo 'unpriv_user = turnserver' >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## Realm value.' >> /etc/turnserver/turnserver.conf + echo "realm = \"$DEFAULT_DOMAIN_NAME\"" >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## Nonce key.' >> /etc/turnserver/turnserver.conf + echo "nonce_key = \"$VOIP_TURN_NONCE\"" >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## Max relay per username.' >> /etc/turnserver/turnserver.conf + echo 'max_relay_per_username = 5' >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## Allocation lifetime.' >> /etc/turnserver/turnserver.conf + echo 'allocation_lifetime = 1800' >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## Allocation bandwidth limitation (in KBytes/s).' >> /etc/turnserver/turnserver.conf + echo '## 0 value means bandwidth quota disabled.' >> /etc/turnserver/turnserver.conf + echo 'bandwidth_per_allocation = 150' >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## Restricted user bandwidth (in KBytes/s).' >> /etc/turnserver/turnserver.conf + echo '## 0 value means bandwidth limitation disabled.' >> /etc/turnserver/turnserver.conf + echo 'restricted_bandwidth = 10' >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## Denied addresses.' >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '# disallow relaying to localhost' >> /etc/turnserver/turnserver.conf + echo 'denied_address {' >> /etc/turnserver/turnserver.conf + echo ' address = "127.0.0.1"' >> /etc/turnserver/turnserver.conf + echo ' mask = "8"' >> /etc/turnserver/turnserver.conf + echo ' port = 0' >> /etc/turnserver/turnserver.conf + echo '}' >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '# disallow relaying to ip6-localhost' >> /etc/turnserver/turnserver.conf + echo 'denied_address {' >> /etc/turnserver/turnserver.conf + echo ' address = "::1"' >> /etc/turnserver/turnserver.conf + echo ' mask = "128"' >> /etc/turnserver/turnserver.conf + echo ' port = 0' >> /etc/turnserver/turnserver.conf + echo '}' >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## Certification Authority file.' >> /etc/turnserver/turnserver.conf + echo "ca_file = \"/etc/ssl/certs/ca-certificates.crt\"" >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## Server certificate file.' >> /etc/turnserver/turnserver.conf + if [ -f /etc/ssl/certs/$DEFAULT_DOMAIN_NAME.pem ]; then + echo "cert_file = \"/etc/ssl/certs/$DEFAULT_DOMAIN_NAME.pem\"" >> /etc/turnserver/turnserver.conf + else + if [ -f /etc/ssl/certs/$DEFAULT_DOMAIN_NAME.crt ]; then + echo "cert_file = \"/etc/ssl/certs/$DEFAULT_DOMAIN_NAME.crt\"" >> /etc/turnserver/turnserver.conf + fi + fi + echo '' >> /etc/turnserver/turnserver.conf + echo '## Private key file.' >> /etc/turnserver/turnserver.conf + echo "private_key_file = \"/etc/ssl/certs/$DEFAULT_DOMAIN_NAME.key\"" >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## Account method.' >> /etc/turnserver/turnserver.conf + echo "account_method = \"file\"" >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## Account file (if account_method = file).' >> /etc/turnserver/turnserver.conf + echo "account_file = \"/etc/turnserver/turnusers.txt\"" >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## mod_tmpuser.' >> /etc/turnserver/turnserver.conf + echo 'mod_tmpuser = false' >> /etc/turnserver/turnserver.conf + + echo "${MY_USERNAME}:password:${DEFAULT_DOMAIN_NAME}:authorized" > /etc/turnserver/turnusers.txt + + systemctl restart turnserver + + function_check configure_firewall_for_voip_turn + configure_firewall_for_voip_turn + echo 'install_sip_turn' >> $COMPLETION_FILE +} + +# NOTE: deliberately no exit 0 diff --git a/src/freedombone-app-syncthing b/src/freedombone-app-syncthing new file mode 100755 index 00000000..2ac4dd15 --- /dev/null +++ b/src/freedombone-app-syncthing @@ -0,0 +1,85 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# Syncthing application +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +SYNCTHING_ID= +SYNCTHING_CONFIG_PATH=/root/.config/syncthing +SYNCTHING_CONFIG_FILE=$SYNCTHING_CONFIG_PATH/config.xml +SYNCTHING_RELAY_SERVER='https://relays.syncthing.net/endpoint' +SYNCTHING_RELEASES='https://api.github.com/repos/syncthing/syncthing/releases?per_page=30' +SYNCTHING_PORT=22000 +SYNCTHING_SHARED_DATA=/var/lib/syncthing/SyncShared +SYNCTHING_USER_IDS_FILE='.syncthingids' + +function install_syncthing { + if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + if grep -Fxq "install_syncthing" $COMPLETION_FILE; then + return + fi + + apt-get -y install curl + + curl -s https://syncthing.net/release-key.txt | apt-key add - + echo "deb http://apt.syncthing.net/ syncthing release" | tee /etc/apt/sources.list.d/syncthing.list + apt-get update + apt-get -y install syncthing + + # This probably does need to run as root so that it can access the Sync directories + # in each user's home directory + echo '[Unit]' > /etc/systemd/system/syncthing.service + echo 'Description=Syncthing - Open Source Continuous File Synchronization' >> /etc/systemd/system/syncthing.service + echo 'Documentation=man:syncthing(1)' >> /etc/systemd/system/syncthing.service + echo 'After=network.target' >> /etc/systemd/system/syncthing.service + echo 'Wants=syncthing-inotify@.service' >> /etc/systemd/system/syncthing.service + echo '' >> /etc/systemd/system/syncthing.service + echo '[Service]' >> /etc/systemd/system/syncthing.service + echo 'User=root' >> /etc/systemd/system/syncthing.service + echo "Environment='all_proxy=socks5://localhost:9050'" >> /etc/systemd/system/syncthing.service + echo 'ExecStart=/usr/bin/syncthing -no-browser -no-restart -logflags=0' >> /etc/systemd/system/syncthing.service + echo 'Restart=on-failure' >> /etc/systemd/system/syncthing.service + echo 'SuccessExitStatus=3 4' >> /etc/systemd/system/syncthing.service + echo 'RestartForceExitStatus=3 4' >> /etc/systemd/system/syncthing.service + echo '' >> /etc/systemd/system/syncthing.service + echo '[Install]' >> /etc/systemd/system/syncthing.service + echo 'WantedBy=multi-user.target' >> /etc/systemd/system/syncthing.service + systemctl enable syncthing + systemctl daemon-reload + systemctl start syncthing + + function_check cron_add_mins + cron_add_mins 1 '/usr/local/bin/freedombone-syncthing > /dev/null' + + function_check configure_firewall_for_syncthing + configure_firewall_for_syncthing + echo 'install_syncthing' >> $COMPLETION_FILE +} + +# NOTE: deliberately no exit 0 diff --git a/src/freedombone-app-tox b/src/freedombone-app-tox new file mode 100755 index 00000000..e6bdff93 --- /dev/null +++ b/src/freedombone-app-tox @@ -0,0 +1,172 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# Tox Application +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +TOX_PORT=33445 +TOXCORE_REPO="git://github.com/irungentoo/toxcore.git" +TOXCORE_COMMIT='532629d486e3361c7d8d95b38293cc7d61dc4ee5' +TOXID_REPO="https://github.com/bashrc/toxid" +TOX_BOOTSTRAP_ID_FILE=/var/lib/tox-bootstrapd/pubkey.txt +# These are some default nodes, but you can replace them with trusted nodes +# as you prefer. See https://wiki.tox.im/Nodes +TOX_NODES= +#TOX_NODES=( +# '192.254.75.102,2607:5600:284::2,33445,951C88B7E75C867418ACDB5D273821372BB5BD652740BCDF623A4FA293E75D2F,Tox RELENG,US' +# '144.76.60.215,2a01:4f8:191:64d6::1,33445,04119E835DF3E78BACF0F84235B300546AF8B936F035185E2A8E9E0A67C8924F,sonOfRa,DE' +#) +TOXIC_REPO="https://github.com/Tox/toxic" +TOXIC_COMMIT='cf16849b374e484a33a4dffa3dfb937b59d537f2' +TOXIC_FILE=/usr/local/bin/toxic + +function tox_avahi { + if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then + return + fi + if grep -Fxq "tox_avahi" $COMPLETION_FILE; then + return + fi + + if [ ! -d /etc/avahi ]; then + echo $'tox_avahi: avahi is not installed' + exit 87359 + fi + + # install a command to obtain the Tox ID + cd $INSTALL_DIR + function_check git_clone + git_clone $TOXID_REPO $INSTALL_DIR/toxid + if [ ! -d $INSTALL_DIR/toxid ]; then + exit 63921 + fi + cd $INSTALL_DIR/toxid + make + if [ ! "$?" = "0" ]; then + exit 58432 + fi + make install + + toxavahi + + # publish regularly + function_check cron_add_mins + cron_add_mins 1 'toxavahi > /dev/null' + + systemctl restart avahi-daemon + + echo 'tox_avahi' >> $COMPLETION_FILE +} + +function install_tox_node { + if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then + return + fi + + # update to the next commit + function_check set_repo_commit + set_repo_commit $INSTALL_DIR/toxcore "toxcore commit" "$TOXCORE_COMMIT" $TOXCORE_REPO + + if grep -Fxq "install_tox_node" $COMPLETION_FILE; then + return + fi + + ${PROJECT_NAME}-mesh-install -f tox_node + if [ ! "$?" = "0" ]; then + echo $'Failed to install tox node' + exit 26778 + fi + + TOX_ONION_HOSTNAME=$(add_onion_service tox ${TOX_PORT} ${TOX_PORT}) + + if ! grep -q "tox onion domain" $COMPLETION_FILE; then + echo "tox onion domain:${TOX_ONION_HOSTNAME}" >> $COMPLETION_FILE + else + sed -i "s|tox onion domain.*|tox onion domain:${TOX_ONION_HOSTNAME}|g" $COMPLETION_FILE + fi + + systemctl restart tox-bootstrapd.service + + TOX_PUBLIC_KEY=$(cat /var/log/syslog | grep tox | grep "Public Key" | awk -F ' ' '{print $8}' | tail -1) + if [ ${#TOX_PUBLIC_KEY} -lt 30 ]; then + echo $'Could not obtain the tox node public key' + exit 6529 + fi + + # save the public key for later reference + echo "$TOX_PUBLIC_KEY" > $TOX_BOOTSTRAP_ID_FILE + + function_check configure_firewall_for_tox + configure_firewall_for_tox + + if ! grep -q $"Your Tox node public key is" /home/$MY_USERNAME/README; then + echo '' >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + echo 'Tox' >> /home/$MY_USERNAME/README + echo '===' >> /home/$MY_USERNAME/README + echo $"tox onion domain: ${TOX_ONION_HOSTNAME}" >> /home/$MY_USERNAME/README + echo $"Your Tox node public key is: $TOX_PUBLIC_KEY" >> /home/$MY_USERNAME/README + echo $'In the Toxic client you can connect to it with:' >> /home/$MY_USERNAME/README + echo " /connect $DEFAULT_DOMAIN_NAME.local $TOX_PORT $TOX_PUBLIC_KEY" >> /home/$MY_USERNAME/README + chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README + chmod 600 /home/$MY_USERNAME/README + fi + + function_check configure_firewall_for_tox + configure_firewall_for_tox + echo 'install_tox_node' >> $COMPLETION_FILE +} + +function install_tox_client { + if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then + return + fi + + # update to the next commit + function_check set_repo_commit + set_repo_commit $INSTALL_DIR/toxic "Toxic commit" "$TOXIC_COMMIT" $TOXIC_REPO + + if grep -Fxq "install_tox_client" $COMPLETION_FILE; then + return + fi + + ${PROJECT_NAME}-mesh-install -f tox_client + if [ ! "$?" = "0" ]; then + echo $'Could not install Tox client' + exit 67248 + fi + + # initial setup of username + #su -c "echo 'n + #/nick $MY_USERNAME + #/exit + #' | $TOXIC_FILE -d" - $MY_USERNAME + + echo 'install_tox_client' >> $COMPLETION_FILE +} + +# NOTE: deliberately no exit 0 diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn new file mode 100755 index 00000000..a94a42e5 --- /dev/null +++ b/src/freedombone-app-vpn @@ -0,0 +1,47 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# VPN functions +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +function install_vpn_tunnel { + if ! grep -q "repo.universe-factory.net" /etc/apt/sources.list; then + echo 'deb http://repo.universe-factory.net/debian/ sid main' >> /etc/apt/sources.list + gpg --keyserver pgpkeys.mit.edu --recv-key 16EF3F64CB201D9C + if [ ! "$?" = "0" ]; then + exit 76272 + fi + gpg -a --export 16EF3F64CB201D9C | sudo apt-key add - + apt-get update + apt-get -y install fastd + if [ ! "$?" = "0" ]; then + exit 52026 + fi + fi +} + +# NOTE: deliberately there is no "exit 0" diff --git a/src/freedombone-app-webmail b/src/freedombone-app-webmail new file mode 100755 index 00000000..4d06ffb8 --- /dev/null +++ b/src/freedombone-app-webmail @@ -0,0 +1,184 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# Webmail application +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +WEBMAIL_REPO="https://github.com/roundcube/roundcubemail" +WEBMAIL_COMMIT='78cf9c2e5cff2d78cd8beb647d60570f195a2a9c' +WEBMAIL_ONION_HOSTNAME= +WEBMAIL_ONION_PORT=8097 +WEBMAIL_ADMIN_PASSWORD= + +function install_webmail { + if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + + WEB_PATH=/var/www + WEBMAIL_PATH=$WEB_PATH/webmail + + # update to a new commit if needed + function_check set_repo_commit + set_repo_commit $WEBMAIL_PATH "Webmail commit" "$WEBMAIL_COMMIT" $WEBMAIL_REPO + + if grep -Fxq "install_webmail" $COMPLETION_FILE; then + return + fi + if [ -d /etc/apache2 ]; then + rm -rf /etc/apache2 + echo $'Removed Apache installation after Dokuwiki install' + fi + + function_check install_mariadb + install_mariadb + + function_check get_mariadb_password + get_mariadb_password + + function_check repair_databases_script + repair_databases_script + + apt-get -y install php5-common php5-cli php5-curl php5-gd php5-mysql php5-mcrypt git + apt-get -y install php5-dev imagemagick php5-imagick php5-sqlite php-auth-sasl php-net-smtp php-mime-type + apt-get -y install php-mail-mime php-mail-mimedecode php-net-ldap3 php5-pspell + pear install Net_IDNA2 + + if [ ! -f $WEBMAIL_PATH/index.php ]; then + cd $WEB_PATH + git_clone $WEBMAIL_REPO webmail + cd $WEBMAIL_PATH + git checkout $WEBMAIL_COMMIT -b $WEBMAIL_COMMIT + if ! grep -q "Webmail commit" $COMPLETION_FILE; then + echo "Webmail commit:$WEBMAIL_COMMIT" >> $COMPLETION_FILE + else + sed -i "s/Webmail commit.*/Webmail commit:$WEBMAIL_COMMIT/g" $COMPLETION_FILE + fi + fi + if [ ! -f $WEBMAIL_PATH/index.php ]; then + echo $'Did not clone webmail repo' + exit 52825 + fi + + WEBMAIL_ONION_HOSTNAME=$(add_onion_service webmail 80 ${WEBMAIL_ONION_PORT}) + echo "Webmail onion domain:${WEBMAIL_ONION_HOSTNAME}" >> $COMPLETION_FILE + + function_check get_mariadb_webmail_admin_password + get_mariadb_webmail_admin_password + if [ ! $WEBMAIL_ADMIN_PASSWORD ]; then + if [ -f $IMAGE_PASSWORD_FILE ]; then + WEBMAIL_ADMIN_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)" + else + WEBMAIL_ADMIN_PASSWORD="$(create_password ${MINIMUM_PASSWORD_LENGTH})" + fi + fi + function_check create_database + create_database webmail "$WEBMAIL_ADMIN_PASSWORD" + mysql -u root --password="$MARIADB_PASSWORD" -D webmail < $WEBMAIL_PATH/SQL/mysql.initial.sql + + if [ ! -d /var/www/$DEFAULT_DOMAIN_NAME/htdocs ]; then + mkdir -p /var/www/$DEFAULT_DOMAIN_NAME/htdocs + fi + ln -s $WEBMAIL_PATH /var/www/$DEFAULT_DOMAIN_NAME/htdocs/webmail + + if [ ! -f /var/www/webmail/config/config.inc.php ]; then + # generate the configuration + echo ' /var/www/webmail/config/config.inc.php + echo "\$config['db_dsnw'] = 'mysql://root:${MARIADB_PASSWORD}@localhost/webmail';" >> /var/www/webmail/config/config.inc.php + echo "\$config['default_host'] = 'localhost';" >> /var/www/webmail/config/config.inc.php + echo "\$config['support_url'] = '';" >> /var/www/webmail/config/config.inc.php + WEBMAIL_DES_KEY="$(create_password 25)" + echo "\$config['des_key'] = '${WEBMAIL_DES_KEY}';" >> /var/www/webmail/config/config.inc.php + echo "\$config['product_name'] = '${PROJECT_NAME}';" >> /var/www/webmail/config/config.inc.php + echo "\$config['plugins'] = array('enigma');" >> /var/www/webmail/config/config.inc.php + echo "\$config['mime_param_folding'] = 0;" >> /var/www/webmail/config/config.inc.php + echo "\$config['enable_installer'] = false;" >> /var/www/webmail/config/config.inc.php + fi + + chown -R www-data:www-data $WEBMAIL_PATH + + echo 'server {' > /etc/nginx/sites-available/webmail + echo " listen 127.0.0.1:$WEBMAIL_ONION_PORT default_server;" >> /etc/nginx/sites-available/webmail + echo " server_name $WEBMAIL_ONION_HOSTNAME;" >> /etc/nginx/sites-available/webmail + echo " root ${WEBMAIL_PATH};" >> /etc/nginx/sites-available/webmail + echo ' index index.php index.html index.htm;' >> /etc/nginx/sites-available/webmail + echo ' access_log off;' >> /etc/nginx/sites-available/webmail + echo ' error_log off;' >> /etc/nginx/sites-available/webmail + echo ' location / {' >> /etc/nginx/sites-available/webmail + echo ' try_files $uri $uri/ /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/webmail + echo ' }' >> /etc/nginx/sites-available/webmail + echo ' error_page 404 /404.html;' >> /etc/nginx/sites-available/webmail + echo ' error_page 500 502 503 504 /50x.html;' >> /etc/nginx/sites-available/webmail + echo ' location = /50x.html {' >> /etc/nginx/sites-available/webmail + echo " root ${WEBMAIL_PATH};" >> /etc/nginx/sites-available/webmail + echo ' }' >> /etc/nginx/sites-available/webmail + echo ' location ~ ^/(README.md|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {' >> /etc/nginx/sites-available/webmail + echo ' deny all;' >> /etc/nginx/sites-available/webmail + echo ' }' >> /etc/nginx/sites-available/webmail + echo ' location ~ ^/(config|temp|logs)/ {' >> /etc/nginx/sites-available/webmail + echo ' deny all;' >> /etc/nginx/sites-available/webmail + echo ' }' >> /etc/nginx/sites-available/webmail + echo ' location ~ /\. {' >> /etc/nginx/sites-available/webmail + echo ' deny all;' >> /etc/nginx/sites-available/webmail + echo ' access_log off;' >> /etc/nginx/sites-available/webmail + echo ' log_not_found off;' >> /etc/nginx/sites-available/webmail + echo ' }' >> /etc/nginx/sites-available/webmail + echo ' location ~ \.php$ {' >> /etc/nginx/sites-available/webmail + echo ' try_files $uri =404;' >> /etc/nginx/sites-available/webmail + echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/webmail + echo ' fastcgi_index index.php;' >> /etc/nginx/sites-available/webmail + echo ' fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/webmail + echo ' include fastcgi_params;' >> /etc/nginx/sites-available/webmail + echo ' }' >> /etc/nginx/sites-available/webmail + echo ' add_header X-Frame-Options DENY;' >> /etc/nginx/sites-available/webmail + echo ' add_header X-Content-Type-Options nosniff;' >> /etc/nginx/sites-available/webmail + echo ' client_max_body_size 15m;' >> /etc/nginx/sites-available/webmail + echo '}' >> /etc/nginx/sites-available/webmail + + nginx_ensite webmail + systemctl restart php5-fpm + systemctl restart nginx + + if ! grep -q "Webmail" /home/$MY_USERNAME/README; then + echo '' >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + echo 'Webmail' >> /home/$MY_USERNAME/README + echo '=======' >> /home/$MY_USERNAME/README + if [[ $ONION_ONLY == 'no' ]]; then + echo $"Open https://$DEFAULT_DOMAIN_NAME/webmail/index.php" >> /home/$MY_USERNAME/README + else + echo $"Open http://$WEBMAIL_ONION_HOSTNAME" >> /home/$MY_USERNAME/README + fi + echo $"MariaDB webmail admin password: $WEBMAIL_ADMIN_PASSWORD" >> /home/$MY_USERNAME/README + chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README + chmod 600 /home/$MY_USERNAME/README + fi + + echo 'install_webmail' >> $COMPLETION_FILE +} + +# NOTE: deliberately no exit 0 diff --git a/src/freedombone-app-wiki b/src/freedombone-app-wiki new file mode 100755 index 00000000..34c7d8e1 --- /dev/null +++ b/src/freedombone-app-wiki @@ -0,0 +1,413 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# Wiki application +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +WIKI_DOMAIN_NAME= +WIKI_ADMIN_PASSWORD= +WIKI_TITLE="${PROJECT_NAME} Wiki" +WIKI_CODE= +WIKI_ONION_PORT=8089 + +function get_wiki_admin_password { + if [ -f /home/$MY_USERNAME/README ]; then + if grep -q "Wiki password" /home/$MY_USERNAME/README; then + WIKI_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "Wiki password:" | awk -F ':' '{print $2}' | sed 's/^ *//') + fi + fi +} + +function install_wiki { + if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MASH" ]]; then + return + fi + if grep -Fxq "install_wiki" $COMPLETION_FILE; then + return + fi + if [ ! $WIKI_DOMAIN_NAME ]; then + return + fi + apt-get -y install dokuwiki + apt-get -y remove --purge apache* + if [ -d /etc/apache2 ]; then + rm -rf /etc/apache2 + echo $'Removed Apache installation after Dokuwiki install' + fi + + if [ ! -d /var/www/$WIKI_DOMAIN_NAME ]; then + mkdir /var/www/$WIKI_DOMAIN_NAME + fi + if [ -d /var/www/$WIKI_DOMAIN_NAME/htdocs ]; then + rm -rf /var/www/$WIKI_DOMAIN_NAME/htdocs + fi + + ln -s /usr/share/dokuwiki /var/www/$WIKI_DOMAIN_NAME/htdocs + + mkdir /var/lib/dokuwiki/custom + cp /etc/dokuwiki/local.php.dist /var/lib/dokuwiki/custom/local.php + ln -s /var/lib/dokuwiki/custom/local.php /etc/dokuwiki/local.php + + chown www-data /var/lib/dokuwiki/custom + chown www-data /var/lib/dokuwiki/custom/local.php + chown -R www-data /etc/dokuwiki + chown -R www-data /usr/share/dokuwiki/lib/ + chmod 600 /var/lib/dokuwiki/custom/local.php + chmod -R 755 /usr/share/dokuwiki/lib + + sed -i 's|//$conf|$conf|g' /var/lib/dokuwiki/custom/local.php + sed -i "s|joe|$MY_USERNAME|g" /var/lib/dokuwiki/custom/local.php + + sed -i "s|Debian DokuWiki|$WIKI_TITLE|g" /etc/dokuwiki/local.php + + # set the admin user + sed -i "s/@admin/$MY_USERNAME/g" /etc/dokuwiki/local.php + + # disallow registration of new users + if ! grep -q "disableactions" /etc/dokuwiki/local.php; then + echo "\$conf['disableactions'] = 'register';" >> /etc/dokuwiki/local.php + fi + if ! grep -q "disableactions" /var/lib/dokuwiki/custom/local.php; then + echo "\$conf['disableactions'] = 'register';" >> /var/lib/dokuwiki/custom/local.php + fi + + if ! grep -q "authtype" /var/lib/dokuwiki/custom/local.php; then + echo "\$conf['authtype'] = 'authplain';" >> /var/lib/dokuwiki/custom/local.php + fi + if ! grep -q "authtype" /etc/dokuwiki/local.php; then + echo "\$conf['authtype'] = 'authplain';" >> /etc/dokuwiki/local.php + fi + + function_check get_wiki_admin_password + get_wiki_admin_password + if [ ! $WIKI_ADMIN_PASSWORD ]; then + if [ -f $IMAGE_PASSWORD_FILE ]; then + WIKI_ADMIN_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)" + else + WIKI_ADMIN_PASSWORD="$(create_password ${MINIMUM_PASSWORD_LENGTH})" + fi + fi + HASHED_WIKI_PASSWORD=$(echo -n "$WIKI_ADMIN_PASSWORD" | md5sum | awk -F ' ' '{print $1}') + echo -n "$MY_USERNAME:$HASHED_WIKI_PASSWORD:$MY_NAME:$MY_EMAIL:admin,user,upload" > /var/lib/dokuwiki/acl/users.auth.php + chmod 640 /var/lib/dokuwiki/acl/users.auth.php + + if ! grep -q "video/ogg" /etc/dokuwiki/mime.conf; then + echo 'ogv video/ogg' >> /etc/dokuwiki/mime.conf + fi + if ! grep -q "video/mp4" /etc/dokuwiki/mime.conf; then + echo 'mp4 video/mp4' >> /etc/dokuwiki/mime.conf + fi + if ! grep -q "video/webm" /etc/dokuwiki/mime.conf; then + echo 'webm video/webm' >> /etc/dokuwiki/mime.conf + fi + + WIKI_ONION_HOSTNAME=$(add_onion_service wiki 80 ${WIKI_ONION_PORT}) + + if [[ $ONION_ONLY == "no" ]]; then + echo 'server {' > /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' listen 80;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo " root /var/www/$WIKI_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo " server_name $WIKI_DOMAIN_NAME;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' access_log off;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo " error_log /var/log/nginx/${WIKI_DOMAIN_NAME}_error.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' index index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' charset utf-8;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' proxy_read_timeout 86400s;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + function_check nginx_disable_sniffing + nginx_disable_sniffing $WIKI_DOMAIN_NAME + function_check nginx_limits + nginx_limits $WIKI_DOMAIN_NAME + echo ' # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' location / {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo " # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' allow all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # statically serve these file types when possible' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # otherwise fall back to front controller' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # allow browser to cache them' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' expires 30d;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # block these file types' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # or a unix socket' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' location ~* \.php$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # Zero-day exploit defense.' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo " # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo " # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo " # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo " # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # With php5-cgi alone:' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # With php5-fpm:' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' include fastcgi_params;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' fastcgi_index index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # deny access to all dot files' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' location ~ /\. {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' #deny access to store' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' location ~ /store {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' location ~ /(data|conf|bin|inc)/ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' location ~ /\.ht {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo '}' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo 'server {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' listen 443 ssl;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo " root /var/www/$WIKI_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo " server_name $WIKI_DOMAIN_NAME;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' access_log off;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo " error_log /var/log/nginx/${WIKI_DOMAIN_NAME}_error_ssl.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' index index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' charset utf-8;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' proxy_read_timeout 86400s;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + function_check nginx_limits + nginx_limits $WIKI_DOMAIN_NAME + function_check nginx_ssl + nginx_ssl $WIKI_DOMAIN_NAME + function_check nginx_disable_sniffing + nginx_disable_sniffing $WIKI_DOMAIN_NAME + echo ' add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # webmail' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' location /webmail {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' rewrite ^/(.*) /webmail/index.php last;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' rewrite ^/(.*) /webmail/installer/index.php last;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' location / {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo " # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' allow all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # statically serve these file types when possible' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # otherwise fall back to front controller' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # allow browser to cache them' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' expires 30d;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # block these file types' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # or a unix socket' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' location ~* \.php$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # Zero-day exploit defense.' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo " # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo " # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo " # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo " # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # With php5-cgi alone:' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # With php5-fpm:' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' include fastcgi_params;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' fastcgi_index index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # deny access to all dot files' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' location ~ /\. {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' #deny access to store' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' location ~ /store {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' location ~ /(data|conf|bin|inc)/ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' location ~ /\.ht {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo '}' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + else + echo -n '' > /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + fi + echo 'server {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo " listen 127.0.0.1:${WIKI_ONION_PORT} default_server;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo " root /var/www/$WIKI_DOMAIN_NAME/htdocs;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo " server_name $WIKI_ONION_HOSTNAME;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' access_log off;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo " error_log /var/log/nginx/${WIKI_DOMAIN_NAME}_error_ssl.log $WEBSERVER_LOG_LEVEL;" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' index index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' charset utf-8;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' proxy_read_timeout 86400s;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + function_check nginx_limits + nginx_limits $WIKI_DOMAIN_NAME + function_check nginx_disable_sniffing + nginx_disable_sniffing $WIKI_DOMAIN_NAME + echo ' add_header Strict-Transport-Security "max-age=0;";' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # rewrite to front controller as default rule' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' location / {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' rewrite ^/(.*) /index.php?q=$uri&$args last;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo " # make sure webfinger and other well known services aren't blocked" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # by denying dot files and rewrite request to the front controller' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' location ^~ /.well-known/ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' allow all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # statically serve these file types when possible' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # otherwise fall back to front controller' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # allow browser to cache them' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # added .htm for advanced source code editor library' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' expires 30d;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' try_files $uri /index.php?q=$uri&$args;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # block these file types' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' location ~* \.(tpl|md|tgz|log|out)$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # or a unix socket' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' location ~* \.php$ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # Zero-day exploit defense.' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # http://forum.nginx.org/read.php?2,88845,page=3' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo " # Won't work properly (404 error) if the file is not stored on this" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo " # server, which is entirely possible with php-fpm/php-fcgi." >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo " # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on" >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo " # another machine. And then cross your fingers that you won't get hacked." >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' try_files $uri $uri/ /index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' fastcgi_split_path_info ^(.+\.php)(/.+)$;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # With php5-cgi alone:' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # fastcgi_pass 127.0.0.1:9000;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # With php5-fpm:' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' fastcgi_pass unix:/var/run/php5-fpm.sock;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' include fastcgi_params;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' fastcgi_index index.php;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' # deny access to all dot files' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' location ~ /\. {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo '' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' #deny access to store' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' location ~ /store {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' location ~ /(data|conf|bin|inc)/ {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' location ~ /\.ht {' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' deny all;' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo ' }' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + echo '}' >> /etc/nginx/sites-available/$WIKI_DOMAIN_NAME + + function_check create_site_certificate + create_site_certificate $WIKI_DOMAIN_NAME + + function_check configure_php + configure_php + + nginx_ensite $WIKI_DOMAIN_NAME + + systemctl restart php5-fpm + systemctl restart nginx + + echo "Wiki onion domain:${WIKI_ONION_HOSTNAME}" >> $COMPLETION_FILE + + function_check add_ddns_domain + add_ddns_domain $WIKI_DOMAIN_NAME + + # add some post-install instructions + if ! grep -q $"Wiki password" /home/$MY_USERNAME/README; then + echo '' >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + echo $'Wiki' >> /home/$MY_USERNAME/README + echo '====' >> /home/$MY_USERNAME/README + echo $"Wiki onion domain: ${WIKI_ONION_HOSTNAME}" >> /home/$MY_USERNAME/README + echo $"Wiki username: $MY_USERNAME" >> /home/$MY_USERNAME/README + echo $"Wiki password: $WIKI_ADMIN_PASSWORD" >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + echo $'Once you have set up the wiki then remove the install file:' >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + echo " rm /var/www/$WIKI_DOMAIN_NAME/htdocs/install.php" >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README + chmod 600 /home/$MY_USERNAME/README + fi + + echo "Wiki domain:$WIKI_DOMAIN_NAME" >> $COMPLETION_FILE + echo 'install_wiki' >> $COMPLETION_FILE +} + +# NOTE: deliberately no exit 0 diff --git a/src/freedombone-app-xmpp b/src/freedombone-app-xmpp new file mode 100755 index 00000000..b9c3e0f8 --- /dev/null +++ b/src/freedombone-app-xmpp @@ -0,0 +1,346 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# XMPP functions +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# Directory where XMPP settings are stored +XMPP_DIRECTORY="/var/lib/prosody" +XMPP_PASSWORD= + +XMPP_CIPHERS='"EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA"' +XMPP_ECC_CURVE='"secp384r1"' + +function update_prosody_modules { + if [ ! -d $INSTALL_DIR/prosody-modules ]; then + return + fi + if [ ! -d /usr/lib/prosody ]; then + return + fi + + cd $INSTALL_DIR/prosody-modules + hg pull + hg update + + # support onion addresses + if [ -f $INSTALL_DIR/prosody-modules/mod_onions/mod_onions.lua ]; then + cp $INSTALL_DIR/prosody-modules/mod_onions/mod_onions.lua /usr/lib/prosody/modules/mod_onions.lua + fi + + # XEP-0313 message archive management + # https://modules.prosody.im/mod_mam.html + # Allows you to download your previous messages onto a new client + # This only applies if you are not using forward secret crypto + # such as OTR or OMEMO (eg. OpenPGP) + if [ -d $INSTALL_DIR/prosody-modules/mod_mam ]; then + cp $INSTALL_DIR/prosody-modules/mod_mam/*.lua /usr/lib/prosody/modules + fi + + # XEP-0352 Client State Indication + # Notifies the server if the app is in the background or not + if [ -d $INSTALL_DIR/prosody-modules/mod_csi ]; then + cp $INSTALL_DIR/prosody-modules/mod_csi/*.lua /usr/lib/prosody/modules + fi + + # XEP-0280 Message Carbons + # Ensures all messages get delivered to all clients (if you have a mobile and desktop client) + if [ -d $INSTALL_DIR/prosody-modules/mod_carbons ]; then + cp $INSTALL_DIR/prosody-modules/mod_carbons/*.lua /usr/lib/prosody/modules + fi + + # XEP-0198 Stream management + # Helps mobile apps recover when a device switches networks. + if [ -d $INSTALL_DIR/prosody-modules/mod_smacks ]; then + cp $INSTALL_DIR/prosody-modules/mod_smacks/*.lua /usr/lib/prosody/modules + fi + if [ -d $INSTALL_DIR/prosody-modules/mod_smacks_offline ]; then + cp $INSTALL_DIR/prosody-modules/mod_smacks_offline/*.lua /usr/lib/prosody/modules + fi + + # XEP-0191: blocking + if [ -d $INSTALL_DIR/prosody-modules/mod_blocking ]; then + cp $INSTALL_DIR/prosody-modules/mod_blocking/*.lua /usr/lib/prosody/modules + fi + + # XEP-0016 Privacy lists + if [ -d $INSTALL_DIR/prosody-modules/mod_privacy_lists ]; then + cp $INSTALL_DIR/prosody-modules/mod_privacy_lists/*.lua /usr/lib/prosody/modules + fi +} + +function install_xmpp { + if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + + update_prosody_modules + + if grep -Fxq "install_xmpp" $COMPLETION_FILE; then + return + fi + apt-get -y install lua-sec lua-bitop + apt-get -y install prosody prosody-modules mercurial + + if [ ! -d /etc/prosody ]; then + echo $"ERROR: prosody does not appear to have installed. $CHECK_MESSAGE" + exit 52 + fi + + # obtain the prosody modules + cd $INSTALL_DIR + hg clone https://hg.prosody.im/prosody-modules/ prosody-modules + if [ ! -d $INSTALL_DIR/prosody-modules/mod_onions ]; then + echo $'mod_onions prosody module could not be found' + exit 73254 + fi + + # install the onions module + update_prosody_modules + if [ ! -f /usr/lib/prosody/modules/mod_onions.lua ]; then + echo $'mod_onions.lua could not be copied to the prosody modules directory' + exit 63952 + fi + + # create a certificate + if [ ! -f /etc/ssl/certs/xmpp.dhparam ]; then + ${PROJECT_NAME}-addcert -h xmpp --dhkey $DH_KEYLENGTH + check_certificates xmpp + fi + chown prosody:prosody /etc/ssl/private/xmpp.key + chown prosody:prosody /etc/ssl/certs/xmpp.* + cp -a /etc/prosody/conf.avail/example.com.cfg.lua /etc/prosody/conf.avail/xmpp.cfg.lua + + sed -i 's|/etc/prosody/certs/example.com.key|/etc/ssl/private/xmpp.key|g' /etc/prosody/conf.avail/xmpp.cfg.lua + sed -i 's|/etc/prosody/certs/example.com.crt|/etc/ssl/certs/xmpp.crt|g' /etc/prosody/conf.avail/xmpp.cfg.lua + if ! grep -q "xmpp.dhparam" /etc/prosody/conf.avail/xmpp.cfg.lua; then + sed -i '/certificate =/a\ dhparam = "/etc/ssl/certs/xmpp.dhparam";' /etc/prosody/conf.avail/xmpp.cfg.lua + fi + if ! grep -q 'options = {"no_sslv2", "no_sslv3" }' /etc/prosody/conf.avail/xmpp.cfg.lua; then + sed -i '/certificate =/a\ options = {"no_sslv2", "no_sslv3" };' /etc/prosody/conf.avail/xmpp.cfg.lua + fi + if ! grep -q 'ciphers =' /etc/prosody/conf.avail/xmpp.cfg.lua; then + sed -i "/certificate =/a\ ciphers = $XMPP_CIPHERS;" /etc/prosody/conf.avail/xmpp.cfg.lua + fi + if ! grep -q 'depth = "1";' /etc/prosody/conf.avail/xmpp.cfg.lua; then + sed -i '/certificate =/a\ depth = "1";' /etc/prosody/conf.avail/xmpp.cfg.lua + fi + if ! grep -q 'curve =' /etc/prosody/conf.avail/xmpp.cfg.lua; then + sed -i "/certificate =/a\ curve = $XMPP_ECC_CURVE;" /etc/prosody/conf.avail/xmpp.cfg.lua + fi + + sed -i "s/example.com/$DEFAULT_DOMAIN_NAME/g" /etc/prosody/conf.avail/xmpp.cfg.lua + sed -i 's/enabled = false -- Remove this line to enable this host//g' /etc/prosody/conf.avail/xmpp.cfg.lua + + if ! grep -q "modules_enabled" /etc/prosody/conf.avail/xmpp.cfg.lua; then + echo '' >> /etc/prosody/conf.avail/xmpp.cfg.lua + echo 'modules_enabled = {' >> /etc/prosody/conf.avail/xmpp.cfg.lua + echo ' "bosh"; -- Enable mod_bosh' >> /etc/prosody/conf.avail/xmpp.cfg.lua + echo ' "tls"; -- Enable mod_tls' >> /etc/prosody/conf.avail/xmpp.cfg.lua + echo ' "saslauth"; -- Enable mod_saslauth' >> /etc/prosody/conf.avail/xmpp.cfg.lua + echo ' "onions"; -- Enable chat via onion service' >> /etc/prosody/conf.avail/xmpp.cfg.lua + echo ' "mam"; -- Message archive management' >> /etc/prosody/conf.avail/xmpp.cfg.lua + echo ' "csi"; -- Client state indication' >> /etc/prosody/conf.avail/xmpp.cfg.lua + echo ' "carbons"; -- Message carbons' >> /etc/prosody/conf.avail/xmpp.cfg.lua + echo ' "smacks"; -- Stream management' >> /etc/prosody/conf.avail/xmpp.cfg.lua + echo ' "smacks_offline"; -- Stream management' >> /etc/prosody/conf.avail/xmpp.cfg.lua + echo ' "pep"; -- Personal Eventing Protocol (to support OMEMO)' >> /etc/prosody/conf.avail/xmpp.cfg.lua + echo ' "privacy"; -- Privacy lists' >> /etc/prosody/conf.avail/xmpp.cfg.lua + echo ' "privacy_lists"; -- Privacy lists' >> /etc/prosody/conf.avail/xmpp.cfg.lua + echo ' "blocking"; -- Blocking command' >> /etc/prosody/conf.avail/xmpp.cfg.lua + echo ' "roster"; -- Roster versioning' >> /etc/prosody/conf.avail/xmpp.cfg.lua + echo '}' >> /etc/prosody/conf.avail/xmpp.cfg.lua + echo '' >> /etc/prosody/conf.avail/xmpp.cfg.lua + echo 'c2s_require_encryption = true' >> /etc/prosody/conf.avail/xmpp.cfg.lua + echo 's2s_require_encryption = true' >> /etc/prosody/conf.avail/xmpp.cfg.lua + echo 'allow_unencrypted_plain_auth = false' >> /etc/prosody/conf.avail/xmpp.cfg.lua + fi + ln -sf /etc/prosody/conf.avail/xmpp.cfg.lua /etc/prosody/conf.d/xmpp.cfg.lua + + sed -i 's|/etc/prosody/certs/localhost.key|/etc/ssl/private/xmpp.key|g' /etc/prosody/prosody.cfg.lua + sed -i 's|/etc/prosody/certs/localhost.crt|/etc/ssl/certs/xmpp.crt|g' /etc/prosody/prosody.cfg.lua + if ! grep -q "xmpp.dhparam" /etc/prosody/prosody.cfg.lua; then + sed -i '/certificate =/a\ dhparam = "/etc/ssl/certs/xmpp.dhparam";' /etc/prosody/prosody.cfg.lua + fi + if ! grep -q 'options = {"no_sslv2", "no_sslv3" }' /etc/prosody/prosody.cfg.lua; then + sed -i '/certificate =/a\ options = {"no_sslv2", "no_sslv3" };' /etc/prosody/prosody.cfg.lua + fi + if ! grep -q 'ciphers =' /etc/prosody/prosody.cfg.lua; then + sed -i "/certificate =/a\ ciphers = $XMPP_CIPHERS;" /etc/prosody/prosody.cfg.lua + fi + if ! grep -q 'depth = "1";' /etc/prosody/prosody.cfg.lua; then + sed -i '/certificate =/a\ depth = "1";' /etc/prosody/prosody.cfg.lua + fi + if ! grep -q 'curve =' /etc/prosody/prosody.cfg.lua; then + sed -i "/certificate =/a\ curve = $XMPP_ECC_CURVE;" /etc/prosody/prosody.cfg.lua + fi + sed -i 's/c2s_require_encryption = false/c2s_require_encryption = true/g' /etc/prosody/prosody.cfg.lua + if ! grep -q "s2s_require_encryption" /etc/prosody/prosody.cfg.lua; then + sed -i '/c2s_require_encryption/a\s2s_require_encryption = true' /etc/prosody/prosody.cfg.lua + fi + if ! grep -q "allow_unencrypted_plain_auth" /etc/prosody/prosody.cfg.lua; then + echo 'allow_unencrypted_plain_auth = false' >> /etc/prosody/conf.avail/xmpp.cfg.lua + fi + sed -i 's/--"bosh";/"bosh";/g' /etc/prosody/prosody.cfg.lua + sed -i 's/authentication = "internal_plain"/authentication = "internal_hashed"/g' /etc/prosody/prosody.cfg.lua + sed -i 's/enabled = false -- Remove this line to enable this host//g' /etc/prosody/prosody.cfg.lua + sed -i 's|key = "/etc/prosody/certs/example.com.key"|key = "/etc/ssl/private/xmpp.key"|g' /etc/prosody/prosody.cfg.lua + sed -i 's|certificate = "/etc/prosody/certs/example.com.crt"|certificate = "/etc/ssl/certs/xmpp.crt"|g' /etc/prosody/prosody.cfg.lua + sed -i "s/example.com/$DEFAULT_DOMAIN_NAME/g" /etc/prosody/prosody.cfg.lua + + systemctl restart prosody + touch /home/$MY_USERNAME/README + + if [ ! -d /var/lib/tor ]; then + echo $'No Tor installation found. XMPP onion site cannot be configured.' + exit 877367 + fi + if ! grep -q "hidden_service_xmpp" /etc/tor/torrc; then + echo 'HiddenServiceDir /var/lib/tor/hidden_service_xmpp/' >> /etc/tor/torrc + echo "HiddenServicePort 5222 127.0.0.1:5222" >> /etc/tor/torrc + echo "HiddenServicePort 5269 127.0.0.1:5269" >> /etc/tor/torrc + echo $'Added onion site for XMPP chat' + fi + + systemctl restart tor + wait_for_onion_service 'xmpp' + + if [ ! -f /var/lib/tor/hidden_service_xmpp/hostname ]; then + echo $'XMPP onion site hostname not found' + exit 65349 + fi + XMPP_ONION_HOSTNAME=$(cat /var/lib/tor/hidden_service_xmpp/hostname) + if ! grep -q "${XMPP_ONION_HOSTNAME}" /etc/prosody/conf.avail/xmpp.cfg.lua; then + echo '' >> /etc/prosody/conf.avail/xmpp.cfg.lua + echo "VirtualHost \"${XMPP_ONION_HOSTNAME}\"" >> /etc/prosody/conf.avail/xmpp.cfg.lua + echo ' modules_enabled = { "onions" };' >> /etc/prosody/conf.avail/xmpp.cfg.lua + fi + if ! grep -q "XMPP onion domain" $COMPLETION_FILE; then + echo "XMPP onion domain:${XMPP_ONION_HOSTNAME}" >> $COMPLETION_FILE + else + sed -i "s|XMPP onion domain.*|XMPP onion domain:${XMPP_ONION_HOSTNAME}|g" $COMPLETION_FILE + fi + + if ! grep -q "Your XMPP password is" /home/$MY_USERNAME/README; then + if [ ${#XMPP_PASSWORD} -lt 8 ]; then + if [ -f $IMAGE_PASSWORD_FILE ]; then + XMPP_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)" + else + XMPP_PASSWORD="$(create_password ${MINIMUM_PASSWORD_LENGTH})" + fi + fi + prosodyctl register $MY_USERNAME $DEFAULT_DOMAIN_NAME $XMPP_PASSWORD + echo '' >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + echo $'XMPP' >> /home/$MY_USERNAME/README + echo '====' >> /home/$MY_USERNAME/README + echo $"XMPP onion domain: ${XMPP_ONION_HOSTNAME}" >> /home/$MY_USERNAME/README + echo $"Your XMPP password is: $XMPP_PASSWORD" >> /home/$MY_USERNAME/README + echo $'You can change it with: ' >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + echo " prosodyctl passwd $MY_EMAIL_ADDRESS" >> /home/$MY_USERNAME/README + chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README + chmod 600 /home/$MY_USERNAME/README + fi + + function_check configure_firewall_for_xmpp + configure_firewall_for_xmpp + + echo 'install_xmpp' >> $COMPLETION_FILE +} + +function install_xmpp_client { + if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + if grep -Fxq "install_xmpp_client" $COMPLETION_FILE; then + return + fi + apt-get -y install profanity + + XMPP_CLIENT_DIR=/home/$MY_USERNAME/.local/share/profanity + XMPP_CLIENT_ACCOUNTS=$XMPP_CLIENT_DIR/accounts + if [ ! -d $XMPP_CLIENT_DIR ]; then + mkdir -p $XMPP_CLIENT_DIR + fi + + if [[ $ONION_ONLY == 'no' ]]; then + echo "[${MY_USERNAME}@${DEFAULT_DOMAIN_NAME}]" > $XMPP_CLIENT_ACCOUNTS + echo 'enabled=true' >> $XMPP_CLIENT_ACCOUNTS + echo "jid=${MY_USERNAME}@${DEFAULT_DOMAIN_NAME}" >> $XMPP_CLIENT_ACCOUNTS + echo 'resource=profanity' >> $XMPP_CLIENT_ACCOUNTS + echo "muc.service=conference.${DEFAULT_DOMAIN_NAME}" >> $XMPP_CLIENT_ACCOUNTS + echo "muc.nick=${MY_USERNAME}" >> $XMPP_CLIENT_ACCOUNTS + echo 'presence.last=online' >> $XMPP_CLIENT_ACCOUNTS + echo 'presence.login=online' >> $XMPP_CLIENT_ACCOUNTS + echo 'priority.online=0' >> $XMPP_CLIENT_ACCOUNTS + echo 'priority.chat=0' >> $XMPP_CLIENT_ACCOUNTS + echo 'priority.away=0' >> $XMPP_CLIENT_ACCOUNTS + echo 'priority.xa=0' >> $XMPP_CLIENT_ACCOUNTS + echo 'priority.dnd=0' >> $XMPP_CLIENT_ACCOUNTS + if [ ${#XMPP_PASSWORD} -gt 2 ]; then + echo "password=$XMPP_PASSWORD" >> $XMPP_CLIENT_ACCOUNTS + fi + fi + + if [ -f /var/lib/tor/hidden_service_xmpp/hostname ]; then + XMPP_ONION_HOSTNAME=$(cat /var/lib/tor/hidden_service_xmpp/hostname) + echo "[${MY_USERNAME}@${XMPP_ONION_HOSTNAME}]" >> $XMPP_CLIENT_ACCOUNTS + if [[ $ONION_ONLY == 'no' ]]; then + echo 'enabled=false' >> $XMPP_CLIENT_ACCOUNTS + else + echo 'enabled=true' >> $XMPP_CLIENT_ACCOUNTS + fi + echo "jid=${MY_USERNAME}@${XMPP_ONION_HOSTNAME}" >> $XMPP_CLIENT_ACCOUNTS + echo 'resource=profanity' >> $XMPP_CLIENT_ACCOUNTS + echo "muc.service=conference.${XMPP_ONION_HOSTNAME}" >> $XMPP_CLIENT_ACCOUNTS + echo "muc.nick=${MY_USERNAME}" >> $XMPP_CLIENT_ACCOUNTS + echo 'presence.last=online' >> $XMPP_CLIENT_ACCOUNTS + echo 'presence.login=online' >> $XMPP_CLIENT_ACCOUNTS + echo 'priority.online=0' >> $XMPP_CLIENT_ACCOUNTS + echo 'priority.chat=0' >> $XMPP_CLIENT_ACCOUNTS + echo 'priority.away=0' >> $XMPP_CLIENT_ACCOUNTS + echo 'priority.xa=0' >> $XMPP_CLIENT_ACCOUNTS + echo 'priority.dnd=0' >> $XMPP_CLIENT_ACCOUNTS + if [ ${#XMPP_PASSWORD} -gt 2 ]; then + echo "password=$XMPP_PASSWORD" >> $XMPP_CLIENT_ACCOUNTS + fi + fi + + if [ ! -d /home/$MY_USERNAME/.config/profanity ]; then + mkdir /home/$MY_USERNAME/.config/profanity + fi + echo '[connection]' > /home/$MY_USERNAME/.config/profanity/profrc + echo "account=${MY_USERNAME}@${DEFAULT_DOMAIN_NAME}" >> /home/$MY_USERNAME/.config/profanity/profrc + + chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.local + chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.config + + echo 'install_xmpp_client' >> $COMPLETION_FILE +} + +# NOTE: deliberately no exit 0 diff --git a/src/freedombone-app-zeronet b/src/freedombone-app-zeronet new file mode 100755 index 00000000..7d149ed3 --- /dev/null +++ b/src/freedombone-app-zeronet @@ -0,0 +1,384 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# Zeronet functions +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +ZERONET_REPO="https://github.com/HelloZeroNet/ZeroNet.git" +ZERONET_COMMIT='675bd462556c541d65e2d95f91f899146a373aad' +ZERONET_BLOG_REPO="https://github.com/HelloZeroNet/ZeroBlog" +ZERONET_BLOG_COMMIT='bbb0d6c36465fed2e6df71f1aab45fcc9c6ad609' +ZERONET_MAIL_REPO="https://github.com/HelloZeroNet/ZeroMail" +ZERONET_MAIL_COMMIT='955af09d643c72b02e4983d71eca5c0c93a6c131' +ZERONET_FORUM_REPO="https://github.com/HelloZeroNet/ZeroTalk" +ZERONET_FORUM_COMMIT='e2d2c9cb1cfbfef91b244935efb5c14c2ad95faa' +ZERONET_URL=http://127.0.0.1:43110 +ZERONET_PORT=15441 +TRACKER_PORT=6969 +ZERONET_DEFAULT_BLOG_TAGLINE="Blogging on the Mesh" +ZERONET_DEFAULT_FORUM_TAGLINE="A decentralized discussion group" +ZERONET_DEFAULT_MAIL_TAGLINE="Mail for the Mesh" +ZERONET_ID_REPO="https://github.com/HelloZeroNet/ZeroID" +ZERONET_ID_COMMIT='ccf14fdc96fa9cdb2ddd8a7ab283a8e17a4f234b' + +function install_zeronet_blog { + if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then + return + fi + + function_check set_repo_commit + set_repo_commit $MESH_INSTALL_DIR/zeronet/ZeroBlog "ZeroNet Blog commit" "$ZERONET_BLOG_COMMIT" $ZERONET_BLOG_REPO + + if grep -Fxq "install_zeronet_blog" $COMPLETION_FILE; then + return + fi + + if [ ! -f /home/$MY_USERNAME/README ]; then + touch /home/$MY_USERNAME/README + fi + + if grep -q "ZeroNet Blog address" /home/$MY_USERNAME/README; then + return + fi + + if [ ! -d /etc/avahi ]; then + echo $'Avahi is not installed' + exit 736 + fi + + ZERONET_DEFAULT_BLOG_TITLE="${MY_USERNAME}'s Blog" + + cd $MESH_INSTALL_DIR/zeronet + python zeronet.py --batch siteCreate 2> $MESH_INSTALL_DIR/zeronet/blog.txt + if [ ! -f $MESH_INSTALL_DIR/zeronet/blog.txt ]; then + echo $'Unable to create blog' + exit 479 + fi + blog_address=$(cat blog.txt | grep "Site address" | awk -F ':' '{print $2}') + blog_private_key=$(cat blog.txt | grep "Site private key" | awk -F ':' '{print $2}') + ZERONET_BLOG_ADDRESS=${blog_address//[[:blank:]]/} + ZERONET_BLOG_PRIVATE_KEY=${blog_private_key//[[:blank:]]/} + + if [ ${#ZERONET_BLOG_ADDRESS} -lt 20 ]; then + echo $"Address: $ZERONET_BLOG_ADDRESS" + echo $"Public key: $ZERONET_BLOG_PRIVATE_KEY" + echo $'Unable to create zeronet blog address' + exit 7358 + fi + + if [ ${#ZERONET_BLOG_PRIVATE_KEY} -lt 20 ]; then + echo $"Address: $ZERONET_BLOG_ADDRESS" + echo $"Public key: $ZERONET_BLOG_PRIVATE_KEY" + echo $'Unable to create zeronet blog private key' + exit 1639 + fi + + if [ ! -d "$MESH_INSTALL_DIR/zeronet/data/$ZERONET_BLOG_ADDRESS" ]; then + echo $"Unable to find site directory: $MESH_INSTALL_DIR/zeronet/data/$ZERONET_BLOG_ADDRESS" + exit 7638 + fi + + function_check git_clone + git_clone $ZERONET_BLOG_REPO ZeroBlog + if [ ! -d $MESH_INSTALL_DIR/zeronet/ZeroBlog ]; then + echo $'ZeroBlog repo could not be cloned' + exit 6739 + fi + cd $MESH_INSTALL_DIR/zeronet/ZeroBlog + git checkout $ZERONET_BLOG_COMMIT -b $ZERONET_BLOG_COMMIT + if ! grep -q "ZeroNet Blog commit" $COMPLETION_FILE; then + echo "ZeroNet Blog commit:$ZERONET_BLOG_COMMIT" >> $COMPLETION_FILE + else + sed -i "s/ZeroNet Blog commit.*/ZeroNet Blog commit:$ZERONET_BLOG_COMMIT/g" $COMPLETION_FILE + fi + + echo $"ZeroNet Blog address: $ZERONET_BLOG_ADDRESS" + echo $"ZeroNet Blog private key: $ZERONET_BLOG_PRIVATE_KEY" + cp -r $MESH_INSTALL_DIR/zeronet/ZeroBlog/* $MESH_INSTALL_DIR/zeronet/data/$ZERONET_BLOG_ADDRESS + + if [ ! -d $MESH_INSTALL_DIR/zeronet/data/$ZERONET_BLOG_ADDRESS/data ]; then + mkdir $MESH_INSTALL_DIR/zeronet/data/$ZERONET_BLOG_ADDRESS/data + fi + cp $MESH_INSTALL_DIR/zeronet/data/$ZERONET_BLOG_ADDRESS/data-default/data.json $MESH_INSTALL_DIR/zeronet/data/$ZERONET_BLOG_ADDRESS/data + sed -i "s/MyZeroBlog/$ZERONET_DEFAULT_BLOG_TITLE/g" $MESH_INSTALL_DIR/zeronet/data/$ZERONET_BLOG_ADDRESS/data/data.json + sed -i "s/My ZeroBlog./$ZERONET_DEFAULT_BLOG_TAGLINE/g" $MESH_INSTALL_DIR/zeronet/data/$ZERONET_BLOG_ADDRESS/data/data.json + sed -i "s/ZeroBlog Demo/$ZERONET_DEFAULT_BLOG_TITLE/g" $MESH_INSTALL_DIR/zeronet/data/$ZERONET_BLOG_ADDRESS/index.html + sed -i "s|

.*|

$ZERONET_DEFAULT_BLOG_TAGLINE

|g" $MESH_INSTALL_DIR/zeronet/data/$ZERONET_BLOG_ADDRESS/index.html + sed -i "s/Blogging platform Demo/Blogging platform/g" $MESH_INSTALL_DIR/zeronet/data/$ZERONET_BLOG_ADDRESS/content.json + python zeronet.py siteSign $ZERONET_BLOG_ADDRESS $ZERONET_BLOG_PRIVATE_KEY + + # Add an avahi service + function_check create_avahi_service + create_avahi_service zeronet-blog "zeronet-blog" udp $ZERONET_PORT "$ZERONET_URL/$ZERONET_BLOG_ADDRESS" + cp /tmp/zeronet-blog.service /etc/avahi/services/zeronet-blog.service + + if [ ! -d /home/$MY_USERNAME/.config/zeronet ]; then + mkdir -p /home/$MY_USERNAME/.config/zeronet + chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.config + fi + echo "$ZERONET_URL/$ZERONET_BLOG_ADDRESS" > /home/$MY_USERNAME/.config/zeronet/myblog + + if ! grep -q "ZeroNet Blog address" /home/$MY_USERNAME/README; then + echo '' >> /home/$MY_USERNAME/README + echo "ZeroNet Blog address: $ZERONET_BLOG_ADDRESS" >> /home/$MY_USERNAME/README + echo "ZeroNet Blog private key: $ZERONET_BLOG_PRIVATE_KEY" >> /home/$MY_USERNAME/README + fi + + echo 'install_zeronet_blog' >> $COMPLETION_FILE +} + +function install_zeronet_mail { + if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then + return + fi + + function_check set_repo_commit + set_repo_commit $MESH_INSTALL_DIR/zeronet/ZeroMail "ZeroNet Mail commit" "$ZERONET_MAIL_COMMIT" $ZERONET_MAIL_REPO + + if grep -Fxq "install_zeronet_mail" $COMPLETION_FILE; then + return + fi + + if [ ! -f /home/$MY_USERNAME/README ]; then + touch /home/$MY_USERNAME/README + fi + + if grep -q "ZeroNet Mail address" /home/$MY_USERNAME/README; then + return + fi + + if [ ! -d /etc/avahi ]; then + echo 'Avahi is not installed' + exit 736 + fi + + ZERONET_DEFAULT_MAIL_TITLE="${MY_USERNAME}'s Mail" + + cd $MESH_INSTALL_DIR/zeronet + python zeronet.py --batch siteCreate 2> $MESH_INSTALL_DIR/zeronet/mail.txt + if [ ! -f $MESH_INSTALL_DIR/zeronet/mail.txt ]; then + echo $'Unable to create mail' + exit 479 + fi + mail_address=$(cat mail.txt | grep "Site address" | awk -F ':' '{print $2}') + mail_private_key=$(cat mail.txt | grep "Site private key" | awk -F ':' '{print $2}') + ZERONET_MAIL_ADDRESS=${mail_address//[[:blank:]]/} + ZERONET_MAIL_PRIVATE_KEY=${mail_private_key//[[:blank:]]/} + + if [ ${#ZERONET_MAIL_ADDRESS} -lt 20 ]; then + echo $"Address: $ZERONET_MAIL_ADDRESS" + echo $"Public key: $ZERONET_MAIL_PRIVATE_KEY" + echo $'Unable to create zeronet mail address' + exit 7358 + fi + + if [ ${#ZERONET_MAIL_PRIVATE_KEY} -lt 20 ]; then + echo $"Address: $ZERONET_MAIL_ADDRESS" + echo $"Public key: $ZERONET_MAIL_PRIVATE_KEY" + echo $'Unable to create zeronet mail private key' + exit 1639 + fi + + if [ ! -d "$MESH_INSTALL_DIR/zeronet/data/$ZERONET_MAIL_ADDRESS" ]; then + echo $"Unable to find site directory: $MESH_INSTALL_DIR/zeronet/data/$ZERONET_MAIL_ADDRESS" + exit 7638 + fi + + function_check git_clone + git_clone $ZERONET_MAIL_REPO ZeroMail + if [ ! -d $MESH_INSTALL_DIR/zeronet/ZeroMail ]; then + echo $'ZeroMail repo could not be cloned' + exit 6739 + fi + cd $MESH_INSTALL_DIR/zeronet/ZeroMail + git checkout $ZERONET_MAIL_COMMIT -b $ZERONET_MAIL_COMMIT + if ! grep -q "ZeroNet Mail commit" $COMPLETION_FILE; then + echo "ZeroNet Mail commit:$ZERONET_MAIL_COMMIT" >> $COMPLETION_FILE + else + sed -i "s/ZeroNet Mail commit.*/ZeroNet Mail commit:$ZERONET_MAIL_COMMIT/g" $COMPLETION_FILE + fi + + echo $"ZeroNet Mail address: $ZERONET_MAIL_ADDRESS" + echo $"ZeroNet Mail private key: $ZERONET_MAIL_PRIVATE_KEY" + cp -r $MESH_INSTALL_DIR/zeronet/ZeroMail/* $MESH_INSTALL_DIR/zeronet/data/$ZERONET_MAIL_ADDRESS + + if [ ! -d $MESH_INSTALL_DIR/zeronet/data/$ZERONET_MAIL_ADDRESS/data ]; then + mkdir $MESH_INSTALL_DIR/zeronet/data/$ZERONET_MAIL_ADDRESS/data + fi + cp $MESH_INSTALL_DIR/zeronet/data/$ZERONET_MAIL_ADDRESS/data-default/data.json $MESH_INSTALL_DIR/zeronet/data/$ZERONET_MAIL_ADDRESS/data + sed -i "s/MyZeroMail/$ZERONET_DEFAULT_MAIL_TITLE/g" $MESH_INSTALL_DIR/zeronet/data/$ZERONET_MAIL_ADDRESS/data/data.json + sed -i "s/My ZeroMail./$ZERONET_DEFAULT_MAIL_TAGLINE/g" $MESH_INSTALL_DIR/zeronet/data/$ZERONET_MAIL_ADDRESS/data/data.json + sed -i "s/ZeroMail Demo/$ZERONET_DEFAULT_MAIL_TITLE/g" $MESH_INSTALL_DIR/zeronet/data/$ZERONET_MAIL_ADDRESS/index.html + sed -i "s|

.*|

$ZERONET_DEFAULT_MAIL_TAGLINE

|g" $MESH_INSTALL_DIR/zeronet/data/$ZERONET_MAIL_ADDRESS/index.html + sed -i "s/Mailging platform Demo/Mailging platform/g" $MESH_INSTALL_DIR/zeronet/data/$ZERONET_MAIL_ADDRESS/content.json + python zeronet.py siteSign $ZERONET_MAIL_ADDRESS $ZERONET_MAIL_PRIVATE_KEY + + # Add an avahi service + function_check create_avahi_service + create_avahi_service zeronet-mail "zeronet-mail" udp $ZERONET_PORT "$ZERONET_URL/$ZERONET_MAIL_ADDRESS" + cp /tmp/zeronet-mail.service /etc/avahi/services/zeronet-mail.service + + if [ ! -d /home/$MY_USERNAME/.config/zeronet ]; then + mkdir -p /home/$MY_USERNAME/.config/zeronet + chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.config + fi + echo "$ZERONET_URL/$ZERONET_MAIL_ADDRESS" > /home/$MY_USERNAME/.config/zeronet/mymail + + if ! grep -q $"ZeroNet Mail address" /home/$MY_USERNAME/README; then + echo '' >> /home/$MY_USERNAME/README + echo $"ZeroNet Mail address: $ZERONET_MAIL_ADDRESS" >> /home/$MY_USERNAME/README + echo $"ZeroNet Mail private key: $ZERONET_MAIL_PRIVATE_KEY" >> /home/$MY_USERNAME/README + fi + + echo 'install_zeronet_mail' >> $COMPLETION_FILE +} + +function install_zeronet_forum { + if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then + return + fi + + # update to the next commit + function_check set_repo_commit + set_repo_commit $MESH_INSTALL_DIR/zeronet/ZeroTalk "ZeroNet Forum commit" "$ZERONET_FORUM_COMMIT" $ZERONET_FORUM_REPO + + if grep -Fxq "install_zeronet_forum" $COMPLETION_FILE; then + return + fi + + if [ ! -f /home/$MY_USERNAME/README ]; then + touch /home/$MY_USERNAME/README + fi + + if grep -q "ZeroNet Forum address" /home/$MY_USERNAME/README; then + return + fi + + if [ ! -d /etc/avahi ]; then + echo $'Avahi is not installed' + exit 736 + fi + + ZERONET_DEFAULT_FORUM_TITLE=$"${MY_USERNAME}'s Forum" + + cd $MESH_INSTALL_DIR/zeronet + python zeronet.py --batch siteCreate 2> $MESH_INSTALL_DIR/zeronet/forum.txt + if [ ! -f $MESH_INSTALL_DIR/zeronet/forum.txt ]; then + echo $'Unable to create forum' + exit 479 + fi + forum_address=$(cat forum.txt | grep "Site address" | awk -F ':' '{print $2}') + forum_private_key=$(cat forum.txt | grep "Site private key" | awk -F ':' '{print $2}') + ZERONET_FORUM_ADDRESS=${forum_address//[[:blank:]]/} + ZERONET_FORUM_PRIVATE_KEY=${forum_private_key//[[:blank:]]/} + + if [ ${#ZERONET_FORUM_ADDRESS} -lt 20 ]; then + echo $"Address: $ZERONET_FORUM_ADDRESS" + echo $"Public key: $ZERONET_FORUM_PRIVATE_KEY" + echo $'Unable to create zeronet forum address' + exit 76352 + fi + + if [ ${#ZERONET_FORUM_PRIVATE_KEY} -lt 20 ]; then + echo $"Address: $ZERONET_FORUM_ADDRESS" + echo $"Public key: $ZERONET_FORUM_PRIVATE_KEY" + echo $'Unable to create zeronet forum private key' + exit 87356 + fi + + if [ ! -d "$MESH_INSTALL_DIR/zeronet/data/$ZERONET_FORUM_ADDRESS" ]; then + echo $"Unable to find site directory: $MESH_INSTALL_DIR/zeronet/data/$ZERONET_FORUM_ADDRESS" + exit 7638 + fi + + function_check git_clone + git_clone $ZERONET_FORUM_REPO ZeroTalk + if [ ! -d $MESH_INSTALL_DIR/zeronet/ZeroTalk ]; then + echo $'ZeroTalk repo could not be cloned' + exit 6739 + fi + git checkout $ZERONET_FORUM_COMMIT -b $ZERONET_FORUM_COMMIT + if ! grep -q "ZeroNet Forum commit" $COMPLETION_FILE; then + echo "ZeroNet Forum commit:$ZERONET_FORUM_COMMIT" >> $COMPLETION_FILE + else + sed -i "s/ZeroNet Forum commit.*/ZeroNet Forum commit:$ZERONET_FORUM_COMMIT/g" $COMPLETION_FILE + fi + + echo $"Forum address: $ZERONET_FORUM_ADDRESS" + echo $"Forum private key: $ZERONET_FORUM_PRIVATE_KEY" + cp -r $MESH_INSTALL_DIR/zeronet/ZeroTalk/* $MESH_INSTALL_DIR/zeronet/data/$ZERONET_FORUM_ADDRESS + sed -i "s/ZeroBoard/$ZERONET_DEFAULT_FORUM_TITLE/g" $MESH_INSTALL_DIR/zeronet/data/$ZERONET_FORUM_ADDRESS/index.html + sed -i "s/ZeroTalk/$ZERONET_DEFAULT_FORUM_TITLE/g" $MESH_INSTALL_DIR/zeronet/data/$ZERONET_FORUM_ADDRESS/index.html + sed -i "s|Demo for dynamic, decentralized content publishing.|$ZERONET_DEFAULT_FORUM_TAGLINE|g" $MESH_INSTALL_DIR/zeronet/data/$ZERONET_FORUM_ADDRESS/index.html + sed -i 's/Messaging Board Demo/Messaging Board/g' $MESH_INSTALL_DIR/zeronet/data/$ZERONET_FORUM_ADDRESS/content.json + sed -i "s/ZeroBoard/$ZERONET_DEFAULT_FORUM_TITLE/g" $MESH_INSTALL_DIR/zeronet/data/$ZERONET_FORUM_ADDRESS/content.json + python zeronet.py siteSign $ZERONET_FORUM_ADDRESS $ZERONET_FORUM_PRIVATE_KEY --inner_path data/users/content.json + + # Add an avahi service + function_check create_avahi_service + create_avahi_service zeronet-forum "zeronet-forum" udp $ZERONET_PORT "$ZERONET_URL/$ZERONET_FORUM_ADDRESS" + sudo cp /tmp/zeronet-forum.service /etc/avahi/services/zeronet-forum.service + + if [ ! -d /home/$MY_USERNAME/.config/zeronet ]; then + mkdir -p /home/$MY_USERNAME/.config/zeronet + chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.config + fi + echo "$ZERONET_URL/$ZERONET_FORUM_ADDRESS" > /home/$MY_USERNAME/.config/zeronet/myforum + + if ! grep -q $"ZeroNet Forum address" /home/$MY_USERNAME/README; then + echo '' >> /home/$MY_USERNAME/README + echo $"ZeroNet Forum address: $ZERONET_FORUM_ADDRESS" >> /home/$MY_USERNAME/README + echo $"ZeroNet Forum private key: $ZERONET_FORUM_PRIVATE_KEY" >> /home/$MY_USERNAME/README + fi + + echo 'install_zeronet_forum' >> $COMPLETION_FILE +} + +function install_zeronet { + if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then + return + fi + + # update to the next commit + function_check set_repo_commit + set_repo_commit $MESH_INSTALL_DIR/zeronet "ZeroNet commit" "$ZERONET_COMMIT" $ZERONET_REPO + + if grep -Fxq "install_zeronet" $COMPLETION_FILE; then + return + fi + + ${PROJECT_NAME}-mesh-install -f zeronet + systemctl daemon-reload + systemctl start tracker.service + systemctl start zeronet.service + + function_check configure_firewall_for_zeronet + configure_firewall_for_zeronet + echo 'install_zeronet' >> $COMPLETION_FILE +} + +# NOTE: deliberately no exit 0 diff --git a/src/freedombone-utils-avahi b/src/freedombone-utils-avahi new file mode 100755 index 00000000..422b129f --- /dev/null +++ b/src/freedombone-utils-avahi @@ -0,0 +1,85 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# Avahi functions +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +function create_avahi_service { + service_name=$1 + service_type=$2 + service_protocol=$3 + service_port=$4 + service_description="$5" + + if [ ! -d /etc/avahi ]; then + echo $'create_avahi_service: avahi was not installed' + exit 52925 + fi + + echo '' > /etc/avahi/services/${service_name}.service + echo '' >> /etc/avahi/services/${service_name}.service + echo '' >> /etc/avahi/services/${service_name}.service + echo " %h ${service_type}" >> /etc/avahi/services/${service_name}.service + echo ' ' >> /etc/avahi/services/${service_name}.service + echo " _${service_type}._${service_protocol}" >> /etc/avahi/services/${service_name}.service + echo " ${service_port}" >> /etc/avahi/services/${service_name}.service + if [ "$service_description" ]; then + echo " $description" >> /tmp/zeronet-blog.service + fi + echo ' ' >> /etc/avahi/services/${service_name}.service + echo '' >> /etc/avahi/services/${service_name}.service +} + +function configure_avahi { + if grep -Fxq "configure_avahi" $COMPLETION_FILE; then + return + fi + # only enable avahi if we're doing mesh networking + if [[ $ENABLE_BABEL != "yes" && $ENABLE_BATMAN != "yes" && $ENABLE_CJDNS != "yes" ]]; then + return + fi + + ${PROJECT_NAME}-mesh-install -f avahi + if [ ! "$?" = "0" ]; then + echo $'Failed to install avahi' + exit 68442 + fi + + if [ $DEFAULT_DOMAIN_NAME ]; then + sed -i "s|#host-name=.*|host-name=$DEFAULT_DOMAIN_NAME|g" /etc/avahi/avahi-daemon.conf + sed -i "s|host-name=.*|host-name=$DEFAULT_DOMAIN_NAME|g" /etc/avahi/avahi-daemon.conf + else + decarray=( 1 2 3 4 5 6 7 8 9 0 ) + PEER_ID=${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]}${decarray[$RANDOM%10]} + sed -i "s|#host-name=.*|host-name=P$PEER_ID|g" /etc/avahi/avahi-daemon.conf + sed -i "s|host-name=.*|host-name=P$PEER_ID|g" /etc/avahi/avahi-daemon.conf + fi + + echo 'configure_avahi' >> $COMPLETION_FILE +} + +# NOTE: deliberately there is no "exit 0" diff --git a/src/freedombone-utils-backup b/src/freedombone-utils-backup new file mode 100755 index 00000000..2810ee79 --- /dev/null +++ b/src/freedombone-utils-backup @@ -0,0 +1,99 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# Backup functions +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +function configure_backup_key { + if grep -Fxq "configure_backup_key" $COMPLETION_FILE; then + return + fi + apt-get -y install gnupg + + BACKUP_KEY_EXISTS=$(gpg_key_exists "root" "$MY_NAME (backup key)") + if [[ $BACKUP_KEY_EXISTS == "yes" ]]; then + return + fi + + # Generate a GPG key for backups + BACKUP_KEY_EXISTS=$(gpg_key_exists "$MY_USERNAME" "$MY_NAME (backup key)") + if [[ $BACKUP_KEY_EXISTS == "no" ]]; then + echo 'Key-Type: 1' > /home/$MY_USERNAME/gpg-genkey.conf + echo 'Key-Length: 4096' >> /home/$MY_USERNAME/gpg-genkey.conf + echo 'Subkey-Type: 1' >> /home/$MY_USERNAME/gpg-genkey.conf + echo 'Subkey-Length: 4096' >> /home/$MY_USERNAME/gpg-genkey.conf + echo "Name-Real: $MY_NAME" >> /home/$MY_USERNAME/gpg-genkey.conf + echo "Name-Email: $MY_EMAIL_ADDRESS" >> /home/$MY_USERNAME/gpg-genkey.conf + echo "Name-Comment: backup key" >> /home/$MY_USERNAME/gpg-genkey.conf + echo 'Expire-Date: 0' >> /home/$MY_USERNAME/gpg-genkey.conf + chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/gpg-genkey.conf + echo $'Backup key does not exist. Creating it.' + su -c "gpg --batch --gen-key /home/$MY_USERNAME/gpg-genkey.conf" - $MY_USERNAME + shred -zu /home/$MY_USERNAME/gpg-genkey.conf + echo $'Checking that the Backup key was created' + BACKUP_KEY_EXISTS=$(gpg_key_exists "$MY_USERNAME" "$MY_NAME (backup key)") + if [[ $BACKUP_KEY_EXISTS == "no" ]]; then + echo $'Backup key could not be created' + exit 43382 + fi + fi + MY_BACKUP_KEY_ID=$(su -c "gpg --list-keys \"$MY_NAME (backup key)\" | grep 'pub '" - $MY_USERNAME | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}') + echo "Backup key: $MY_BACKUP_KEY_ID" + MY_BACKUP_KEY=/home/$MY_USERNAME/backup_key + su -c "gpg --output ${MY_BACKUP_KEY}_public.asc --armor --export $MY_BACKUP_KEY_ID" - $MY_USERNAME + su -c "gpg --output ${MY_BACKUP_KEY}_private.asc --armor --export-secret-key $MY_BACKUP_KEY_ID" - $MY_USERNAME + if [ ! -f ${MY_BACKUP_KEY}_public.asc ]; then + echo 'Public backup key could not be exported' + exit 36829 + fi + if [ ! -f ${MY_BACKUP_KEY}_private.asc ]; then + echo 'Private backup key could not be exported' + exit 29235 + fi + + # import backup key to root user + gpg --import --import ${MY_BACKUP_KEY}_public.asc + gpg --allow-secret-key-import --import ${MY_BACKUP_KEY}_private.asc + + shred -zu ${MY_BACKUP_KEY}_public.asc + shred -zu ${MY_BACKUP_KEY}_private.asc + + echo 'configure_backup_key' >> $COMPLETION_FILE +} + +function backup_to_friends_servers { + # update crontab + echo '#!/bin/bash' > /etc/cron.daily/backuptofriends + echo "if [ -f /usr/local/bin/${PROJECT_NAME}-backup-remote ]; then" >> /etc/cron.daily/backuptofriends + echo " /usr/local/bin/${PROJECT_NAME}-backup-remote" >> /etc/cron.daily/backuptofriends + echo 'else' >> /etc/cron.daily/backuptofriends + echo " /usr/bin/${PROJECT_NAME}-backup-remote" >> /etc/cron.daily/backuptofriends + echo 'fi' >> /etc/cron.daily/backuptofriends + chmod +x /etc/cron.daily/backuptofriends +} + +# NOTE: deliberately no exit 0 diff --git a/src/freedombone-utils-config b/src/freedombone-utils-config new file mode 100755 index 00000000..85189b76 --- /dev/null +++ b/src/freedombone-utils-config @@ -0,0 +1,606 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# Initial reading of the configuration file, typically called freedombone.cfg +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +function read_configuration { + # if not installing on a Beaglebone then use sdb as the USB drive by default + if [ ! $INSTALLING_ON_BBB ]; then + if [[ $USB_DRIVE == /dev/sda1 ]]; then + USB_DRIVE=/dev/sdb1 + fi + fi + + if [[ $INSTALLING_FROM_CONFIGURATION_FILE == "yes" ]]; then + if [ ! -f $CONFIGURATION_FILE ]; then + echo $"The configuration file $CONFIGURATION_FILE was not found" + exit 8935 + fi + fi + + if [ -f $CONFIGURATION_FILE ]; then + read_repo_servers + + # Ensure that a copy of the config exists for upgrade purposes + if [[ $CONFIGURATION_FILE != "/root/${PROJECT_NAME}.cfg" ]]; then + cp $CONFIGURATION_FILE /root/${PROJECT_NAME}.cfg + fi + if grep -q "REFRESH_GPG_KEYS_HOURS" $CONFIGURATION_FILE; then + REFRESH_GPG_KEYS_HOURS=$(grep "REFRESH_GPG_KEYS_HOURS" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "WEBMAIL_REPO" $CONFIGURATION_FILE; then + WEBMAIL_REPO=$(grep "WEBMAIL_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "WEBMAIL_COMMIT" $CONFIGURATION_FILE; then + WEBMAIL_COMMIT=$(grep "WEBMAIL_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "WIFI_INTERFACE" $CONFIGURATION_FILE; then + WIFI_INTERFACE=$(grep "WIFI_INTERFACE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "WIFI_SSID" $CONFIGURATION_FILE; then + WIFI_SSID=$(grep "WIFI_SSID" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "WIFI_TYPE" $CONFIGURATION_FILE; then + WIFI_TYPE=$(grep "WIFI_TYPE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "WIFI_PASSPHRASE" $CONFIGURATION_FILE; then + WIFI_PASSPHRASE=$(grep "WIFI_PASSPHRASE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "WIFI_HOTSPOT" $CONFIGURATION_FILE; then + WIFI_HOTSPOT=$(grep "WIFI_HOTSPOT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "WIFI_NETWORKS_FILE" $CONFIGURATION_FILE; then + WIFI_NETWORKS_FILE=$(grep "WIFI_NETWORKS_FILE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "SYNCTHING_ID" $CONFIGURATION_FILE; then + SYNCTHING_ID=$(grep "SYNCTHING_ID" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "SYNCTHING_CONFIG_PATH" $CONFIGURATION_FILE; then + SYNCTHING_CONFIG_PATH=$(grep "SYNCTHING_CONFIG_PATH" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "SYNCTHING_CONFIG_FILE" $CONFIGURATION_FILE; then + SYNCTHING_CONFIG_FILE=$(grep "SYNCTHING_CONFIG_FILE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "SYNCTHING_RELAY_SERVER" $CONFIGURATION_FILE; then + SYNCTHING_RELAY_SERVER=$(grep "SYNCTHING_RELAY_SERVER" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "SYNCTHING_RELEASES" $CONFIGURATION_FILE; then + SYNCTHING_RELEASES=$(grep "SYNCTHING_RELEASES" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "SYNCTHING_PORT" $CONFIGURATION_FILE; then + SYNCTHING_PORT=$(grep "SYNCTHING_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "SYNCTHING_SHARED_DATA" $CONFIGURATION_FILE; then + SYNCTHING_SHARED_DATA=$(grep "SYNCTHING_SHARED_DATA" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "VOIP_TURN_PORT" $CONFIGURATION_FILE; then + VOIP_TURN_PORT=$(grep "VOIP_TURN_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "VOIP_TURN_TLS_PORT" $CONFIGURATION_FILE; then + VOIP_TURN_TLS_PORT=$(grep "VOIP_TURN_TLS_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "VOIP_TURN_NONCE" $CONFIGURATION_FILE; then + VOIP_TURN_NONCE=$(grep "VOIP_TURN_NONCE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "DEFAULT_SEARCH" $CONFIGURATION_FILE; then + DEFAULT_SEARCH=$(grep "DEFAULT_SEARCH" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "SEARCH_ENGINE_PASSWORD" $CONFIGURATION_FILE; then + SEARCH_ENGINE_PASSWORD=$(grep "SEARCH_ENGINE_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "XMPP_PASSWORD" $CONFIGURATION_FILE; then + XMPP_PASSWORD=$(grep "XMPP_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "RSS_READER_REPO" $CONFIGURATION_FILE; then + RSS_READER_REPO=$(grep "RSS_READER_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "RSS_MOBILE_READER_REPO" $CONFIGURATION_FILE; then + RSS_MOBILE_READER_REPO=$(grep "RSS_MOBILE_READER_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "RSS_READER_COMMIT" $CONFIGURATION_FILE; then + RSS_READER_COMMIT=$(grep "RSS_READER_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "RSS_MOBILE_READER_COMMIT" $CONFIGURATION_FILE; then + RSS_MOBILE_READER_COMMIT=$(grep "RSS_MOBILE_READER_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "RSS_READER_ADMIN_PASSWORD" $CONFIGURATION_FILE; then + RSS_READER_ADMIN_PASSWORD=$(grep "RSS_READER_ADMIN_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "RSS_READER_DOMAIN_NAME" $CONFIGURATION_FILE; then + RSS_READER_DOMAIN_NAME=$(grep "RSS_READER_DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "MICROBLOG_BACKGROUND_IMAGE_URL" $CONFIGURATION_FILE; then + MICROBLOG_BACKGROUND_IMAGE_URL=$(grep "MICROBLOG_BACKGROUND_IMAGE_URL" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "MICROBLOG_WELCOME_MESSAGE" $CONFIGURATION_FILE; then + MICROBLOG_WELCOME_MESSAGE=$(grep "MICROBLOG_WELCOME_MESSAGE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "PROJECT_WEBSITE" $CONFIGURATION_FILE; then + PROJECT_WEBSITE=$(grep "PROJECT_WEBSITE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "PROJECT_REPO" $CONFIGURATION_FILE; then + PROJECT_REPO=$(grep "PROJECT_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "ONION_ONLY" $CONFIGURATION_FILE; then + ONION_ONLY=$(grep "ONION_ONLY" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "IRC_PASSWORD" $CONFIGURATION_FILE; then + IRC_PASSWORD=$(grep "IRC_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "DEFAULT_LANGUAGE" $CONFIGURATION_FILE; then + DEFAULT_LANGUAGE=$(grep "DEFAULT_LANGUAGE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "MINIMAL_INSTALL" $CONFIGURATION_FILE; then + MINIMAL_INSTALL=$(grep "MINIMAL_INSTALL" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "LETSENCRYPT_SERVER" $CONFIGURATION_FILE; then + LETSENCRYPT_SERVER=$(grep "LETSENCRYPT_SERVER" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "FULLBLOG_REPO" $CONFIGURATION_FILE; then + FULLBLOG_REPO=$(grep "FULLBLOG_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "FULLBLOG_COMMIT" $CONFIGURATION_FILE; then + FULLBLOG_COMMIT=$(grep "FULLBLOG_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "GOGS_COMMIT" $CONFIGURATION_FILE; then + GOGS_COMMIT=$(grep "GOGS_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "TOXCORE_COMMIT" $CONFIGURATION_FILE; then + TOXCORE_COMMIT=$(grep "TOXCORE_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "TOXIC_COMMIT" $CONFIGURATION_FILE; then + TOXIC_COMMIT=$(grep "TOXIC_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "GPGIT_REPO" $CONFIGURATION_FILE; then + GPGIT_REPO=$(grep "GPGIT_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "GPGIT_COMMIT" $CONFIGURATION_FILE; then + GPGIT_COMMIT=$(grep "GPGIT_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "HUBZILLA_REPO" $CONFIGURATION_FILE; then + HUBZILLA_REPO=$(grep "HUBZILLA_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "HUBZILLA_COMMIT" $CONFIGURATION_FILE; then + HUBZILLA_COMMIT=$(grep "HUBZILLA_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "IPFS_COMMIT" $CONFIGURATION_FILE; then + IPFS_COMMIT=$(grep "IPFS_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "ZERONET_BLOG_COMMIT" $CONFIGURATION_FILE; then + ZERONET_BLOG_COMMIT=$(grep "ZERONET_BLOG_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "ZERONET_MAIL_COMMIT" $CONFIGURATION_FILE; then + ZERONET_MAIL_COMMIT=$(grep "ZERONET_MAIL_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "ZERONET_FORUM_COMMIT" $CONFIGURATION_FILE; then + ZERONET_FORUM_COMMIT=$(grep "ZERONET_FORUM_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "MICROBLOG_COMMIT" $CONFIGURATION_FILE; then + MICROBLOG_COMMIT=$(grep "MICROBLOG_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "NGINX_ENSITE_REPO" $CONFIGURATION_FILE; then + NGINX_ENSITE_REPO=$(grep "NGINX_ENSITE_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "NGINX_ENSITE_COMMIT" $CONFIGURATION_FILE; then + NGINX_ENSITE_COMMIT=$(grep "NGINX_ENSITE_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "CLEANUP_MAILDIR_COMMIT" $CONFIGURATION_FILE; then + CLEANUP_MAILDIR_COMMIT=$(grep "CLEANUP_MAILDIR_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "CLEANUP_MAILDIR_REPO" $CONFIGURATION_FILE; then + CLEANUP_MAILDIR_REPO=$(grep "CLEANUP_MAILDIR_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "ZERONET_COMMIT" $CONFIGURATION_FILE; then + ZERONET_COMMIT=$(grep "ZERONET_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "INADYN_REPO" $CONFIGURATION_FILE; then + INADYN_REPO=$(grep "INADYN_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "INADYN_COMMIT" $CONFIGURATION_FILE; then + INADYN_COMMIT=$(grep "INADYN_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "GPG_KEYSERVER" $CONFIGURATION_FILE; then + GPG_KEYSERVER=$(grep "GPG_KEYSERVER" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "IPFS_PORT" $CONFIGURATION_FILE; then + IPFS_PORT=$(grep "IPFS_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "TRACKER_PORT" $CONFIGURATION_FILE; then + TRACKER_PORT=$(grep "TRACKER_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "ZERONET_PORT" $CONFIGURATION_FILE; then + ZERONET_PORT=$(grep "ZERONET_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "DH_KEYLENGTH" $CONFIGURATION_FILE; then + DH_KEYLENGTH=$(grep "DH_KEYLENGTH" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "IRC_PORT" $CONFIGURATION_FILE; then + IRC_PORT=$(grep "IRC_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "WIFI_CHANNEL" $CONFIGURATION_FILE; then + WIFI_CHANNEL=$(grep "WIFI_CHANNEL" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "BATMAN_CELLID" $CONFIGURATION_FILE; then + BATMAN_CELLID=$(grep "BATMAN_CELLID" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "TOX_PORT" $CONFIGURATION_FILE; then + TOX_PORT=$(grep "TOX_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "TOX_NODES" $CONFIGURATION_FILE; then + TOX_NODES=$(grep "TOX_NODES" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "TOXCORE_REPO" $CONFIGURATION_FILE; then + TOXCORE_REPO=$(grep "TOXCORE_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "ENABLE_SOCIAL_KEY_MANAGEMENT" $CONFIGURATION_FILE; then + ENABLE_SOCIAL_KEY_MANAGEMENT=$(grep "ENABLE_SOCIAL_KEY_MANAGEMENT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "IPV6_NETWORK" $CONFIGURATION_FILE; then + IPV6_NETWORK=$(grep "IPV6_NETWORK" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "HWRNG_TYPE" $CONFIGURATION_FILE; then + HWRNG_TYPE=$(grep "HWRNG_TYPE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "MEDIAGOBLIN_DOMAIN_NAME" $CONFIGURATION_FILE; then + MEDIAGOBLIN_DOMAIN_NAME=$(grep "MEDIAGOBLIN_DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "MEDIAGOBLIN_CODE" $CONFIGURATION_FILE; then + MEDIAGOBLIN_CODE=$(grep "MEDIAGOBLIN_CODE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "MEDIAGOBLIN_REPO" $CONFIGURATION_FILE; then + MEDIAGOBLIN_REPO=$(grep "MEDIAGOBLIN_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "MEDIAGOBLIN_COMMIT" $CONFIGURATION_FILE; then + MEDIAGOBLIN_COMMIT=$(grep "MEDIAGOBLIN_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "GIT_ADMIN_PASSWORD" $CONFIGURATION_FILE; then + GIT_ADMIN_PASSWORD=$(grep "GIT_ADMIN_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "GIT_DOMAIN_NAME" $CONFIGURATION_FILE; then + GIT_DOMAIN_NAME=$(grep "GIT_DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "GIT_CODE" $CONFIGURATION_FILE; then + GIT_CODE=$(grep "GIT_CODE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "SYSTEM_TYPE" $CONFIGURATION_FILE; then + SYSTEM_TYPE=$(grep "SYSTEM_TYPE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "SSL_PROTOCOLS" $CONFIGURATION_FILE; then + SSL_PROTOCOLS=$(grep "SSL_PROTOCOLS" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "SSL_CIPHERS" $CONFIGURATION_FILE; then + SSL_CIPHERS=$(grep "SSL_CIPHERS" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "SSH_CIPHERS" $CONFIGURATION_FILE; then + SSH_CIPHERS=$(grep "SSH_CIPHERS" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "SSH_MACS" $CONFIGURATION_FILE; then + SSH_MACS=$(grep "SSH_MACS" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "SSH_KEX" $CONFIGURATION_FILE; then + SSH_KEX=$(grep "SSH_KEX" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "SSH_HOST_KEY_ALGORITHMS" $CONFIGURATION_FILE; then + SSH_HOST_KEY_ALGORITHMS=$(grep "SSH_HOST_KEY_ALGORITHMS" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "SSH_PASSWORDS" $CONFIGURATION_FILE; then + SSH_PASSWORDS=$(grep "SSH_PASSWORDS" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "XMPP_CIPHERS" $CONFIGURATION_FILE; then + XMPP_CIPHERS=$(grep "XMPP_CIPHERS" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "XMPP_ECC_CURVE" $CONFIGURATION_FILE; then + XMPP_ECC_CURVE=$(grep "XMPP_ECC_CURVE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "MY_USERNAME" $CONFIGURATION_FILE; then + MY_USERNAME=$(grep "MY_USERNAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "DOMAIN_NAME" $CONFIGURATION_FILE; then + # for backwards compatability + DEFAULT_DOMAIN_NAME=$(grep "DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "DEFAULT_DOMAIN_NAME" $CONFIGURATION_FILE; then + DEFAULT_DOMAIN_NAME=$(grep "DEFAULT_DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "DEFAULT_DOMAIN_CODE" $CONFIGURATION_FILE; then + DEFAULT_DOMAIN_CODE=$(grep "DEFAULT_DOMAIN_CODE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "NAMESERVER1" $CONFIGURATION_FILE; then + NAMESERVER1=$(grep "NAMESERVER1" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "NAMESERVER2" $CONFIGURATION_FILE; then + NAMESERVER2=$(grep "NAMESERVER2" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "DEBIAN_REPO" $CONFIGURATION_FILE; then + DEBIAN_REPO=$(grep "DEBIAN_REPO" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + CHECK_MESSAGE=$"Check your internet connection, /etc/network/interfaces and /etc/resolv.conf, then delete $COMPLETION_FILE, run 'rm -fR /var/lib/apt/lists/* && apt-get update --fix-missing' and run this script again. If hash sum mismatches persist then try setting $DEBIAN_REPO to a different mirror and also change /etc/apt/sources.list." + fi + if grep -q "VOIP_PORT" $CONFIGURATION_FILE; then + VOIP_PORT=$(grep "VOIP_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "VOIP_SERVER_PASSWORD" $CONFIGURATION_FILE; then + VOIP_SERVER_PASSWORD=$(grep "VOIP_SERVER_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "SIP_PORT" $CONFIGURATION_FILE; then + SIP_PORT=$(grep "SIP_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "SIP_TLS_PORT" $CONFIGURATION_FILE; then + SIP_TLS_PORT=$(grep "SIP_TLS_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "SIP_SERVER_PASSWORD" $CONFIGURATION_FILE; then + SIP_SERVER_PASSWORD=$(grep "SIP_SERVER_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "GET_IP_ADDRESS_URL" $CONFIGURATION_FILE; then + GET_IP_ADDRESS_URL=$(grep "GET_IP_ADDRESS_URL" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "DDNS_PROVIDER" $CONFIGURATION_FILE; then + DDNS_PROVIDER=$(grep "DDNS_PROVIDER" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "DDNS_USERNAME" $CONFIGURATION_FILE; then + DDNS_USERNAME=$(grep "DDNS_USERNAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "DDNS_PASSWORD" $CONFIGURATION_FILE; then + DDNS_PASSWORD=$(grep "DDNS_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "LOCAL_NETWORK_STATIC_IP_ADDRESS" $CONFIGURATION_FILE; then + LOCAL_NETWORK_STATIC_IP_ADDRESS=$(grep "LOCAL_NETWORK_STATIC_IP_ADDRESS" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "ENABLE_BABEL" $CONFIGURATION_FILE; then + ENABLE_BABEL=$(grep "ENABLE_BABEL" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "ENABLE_BATMAN" $CONFIGURATION_FILE; then + ENABLE_BATMAN=$(grep "ENABLE_BATMAN" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "ENABLE_CJDNS" $CONFIGURATION_FILE; then + ENABLE_CJDNS=$(grep "ENABLE_CJDNS" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "CJDNS_COMMIT" $CONFIGURATION_FILE; then + CJDNS_COMMIT=$(grep "CJDNS_COMMIT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "CJDNS_IPV6" $CONFIGURATION_FILE; then + CJDNS_IPV6=$(grep "CJDNS_IPV6" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "CJDNS_PUBLIC_KEY" $CONFIGURATION_FILE; then + CJDNS_PUBLIC_KEY=$(grep "CJDNS_PUBLIC_KEY" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "CJDNS_PRIVATE_KEY" $CONFIGURATION_FILE; then + CJDNS_PRIVATE_KEY=$(grep "CJDNS_PRIVATE_KEY" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "ROUTER_IP_ADDRESS" $CONFIGURATION_FILE; then + ROUTER_IP_ADDRESS=$(grep "ROUTER_IP_ADDRESS" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "CPU_CORES" $CONFIGURATION_FILE; then + CPU_CORES=$(grep "CPU_CORES" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "WEBSERVER_LOG_LEVEL" $CONFIGURATION_FILE; then + WEBSERVER_LOG_LEVEL=$(grep "WEBSERVER_LOG_LEVEL" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "ROUTE_THROUGH_TOR" $CONFIGURATION_FILE; then + ROUTE_THROUGH_TOR=$(grep "ROUTE_THROUGH_TOR" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "WIKI_TITLE" $CONFIGURATION_FILE; then + WIKI_TITLE=$(grep "WIKI_TITLE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "MY_NAME" $CONFIGURATION_FILE; then + MY_NAME=$(grep "MY_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "MY_EMAIL_ADDRESS" $CONFIGURATION_FILE; then + MY_EMAIL_ADDRESS=$(grep "MY_EMAIL_ADDRESS" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "INSTALLING_ON_BBB" $CONFIGURATION_FILE; then + INSTALLING_ON_BBB=$(grep "INSTALLING_ON_BBB" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "SSH_PORT" $CONFIGURATION_FILE; then + SSH_PORT=$(grep "SSH_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "INSTALLED_WITHIN_DOCKER" $CONFIGURATION_FILE; then + INSTALLED_WITHIN_DOCKER=$(grep "INSTALLED_WITHIN_DOCKER" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "PUBLIC_MAILING_LIST" $CONFIGURATION_FILE; then + PUBLIC_MAILING_LIST=$(grep "PUBLIC_MAILING_LIST" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "MICROBLOG_DOMAIN_NAME" $CONFIGURATION_FILE; then + MICROBLOG_DOMAIN_NAME=$(grep "MICROBLOG_DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "MICROBLOG_CODE" $CONFIGURATION_FILE; then + MICROBLOG_CODE=$(grep "MICROBLOG_CODE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "HUBZILLA_DOMAIN_NAME" $CONFIGURATION_FILE; then + HUBZILLA_DOMAIN_NAME=$(grep "HUBZILLA_DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "HUBZILLA_CODE" $CONFIGURATION_FILE; then + HUBZILLA_CODE=$(grep "HUBZILLA_CODE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "WIKI_DOMAIN_NAME" $CONFIGURATION_FILE; then + WIKI_DOMAIN_NAME=$(grep "WIKI_DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "WIKI_CODE" $CONFIGURATION_FILE; then + WIKI_CODE=$(grep "WIKI_CODE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "FULLBLOG_DOMAIN_NAME" $CONFIGURATION_FILE; then + FULLBLOG_DOMAIN_NAME=$(grep "FULLBLOG_DOMAIN_NAME" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "FULLBLOG_CODE" $CONFIGURATION_FILE; then + FULLBLOG_CODE=$(grep "FULLBLOG_CODE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "MY_BLOG_TITLE" $CONFIGURATION_FILE; then + MY_BLOG_TITLE=$(grep "MY_BLOG_TITLE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "MY_BLOG_SUBTITLE" $CONFIGURATION_FILE; then + MY_BLOG_SUBTITLE=$(grep "MY_BLOG_SUBTITLE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "GPG_ENCRYPT_STORED_EMAIL" $CONFIGURATION_FILE; then + GPG_ENCRYPT_STORED_EMAIL=$(grep "GPG_ENCRYPT_STORED_EMAIL" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "MY_GPG_PUBLIC_KEY" $CONFIGURATION_FILE; then + MY_GPG_PUBLIC_KEY=$(grep "MY_GPG_PUBLIC_KEY" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "MY_GPG_PRIVATE_KEY" $CONFIGURATION_FILE; then + MY_GPG_PRIVATE_KEY=$(grep "MY_GPG_PRIVATE_KEY" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "MY_GPG_PUBLIC_KEY_ID" $CONFIGURATION_FILE; then + MY_GPG_PUBLIC_KEY_ID=$(grep "MY_GPG_PUBLIC_KEY_ID" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "USB_DRIVE" $CONFIGURATION_FILE; then + USB_DRIVE=$(grep "USB_DRIVE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "MAX_PHP_MEMORY" $CONFIGURATION_FILE; then + MAX_PHP_MEMORY=$(grep "MAX_PHP_MEMORY" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "TLS_TIME_SOURCE1" $CONFIGURATION_FILE; then + TLS_TIME_SOURCE1=$(grep "TLS_TIME_SOURCE1" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "TLS_TIME_SOURCE2" $CONFIGURATION_FILE; then + TLS_TIME_SOURCE2=$(grep "TLS_TIME_SOURCE2" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + fi + echo "System type: $SYSTEM_TYPE" +} + +# check that domain names are sensible +function check_domains { + if [ ${#WIKI_DOMAIN_NAME} -gt 1 ]; then + function_check test_domain_name + test_domain_name "$WIKI_DOMAIN_NAME" + + if [[ "$test_domain_name" == "$FULLBLOG_DOMAIN_NAME" ]]; then + echo $'Wiki domain name is the same as blog domain name. They must be different' + exit 97326 + fi + if [[ "$test_domain_name" == "$MICROBLOG_DOMAIN_NAME" ]]; then + echo $'Wiki domain name is the same as microblog domain name. They must be different' + exit 36827 + fi + if [[ "$test_domain_name" == "$HUBZILLA_DOMAIN_NAME" ]]; then + echo $'Wiki domain name is the same as hubzilla domain name. They must be different' + exit 65848 + fi + if [ ${#GIT_DOMAIN_NAME} -gt 1 ]; then + if [[ "$test_domain_name" == "$GIT_DOMAIN_NAME" ]]; then + echo $'Wiki domain name is the same as Gogs domain name. They must be different' + exit 73529 + fi + fi + fi + + if [ ${#FULLBLOG_DOMAIN_NAME} -gt 1 ]; then + function_check test_domain_name + test_domain_name "$FULLBLOG_DOMAIN_NAME" + + if [[ "$test_domain_name" == "$WIKI_DOMAIN_NAME" ]]; then + echo $'Blog domain name is the same as wiki domain name. They must be different' + exit 62348 + fi + if [[ "$test_domain_name" == "$MICROBLOG_DOMAIN_NAME" ]]; then + echo $'Blog domain name is the same as microblog domain name. They must be different' + exit 38236 + fi + if [[ "$test_domain_name" == "$HUBZILLA_DOMAIN_NAME" ]]; then + echo $'Blog domain name is the same as hubzilla domain name. They must be different' + exit 35483 + fi + if [ $GIT_DOMAIN_NAME ]; then + if [[ "$test_domain_name" == "$GIT_DOMAIN_NAME" ]]; then + echo $'Blog domain name is the same as Gogs domain name. They must be different' + exit 84695 + fi + fi + fi + + if [ ${#MICROBLOG_DOMAIN_NAME} -gt 1 ]; then + function_check test_domain_name + test_domain_name "$MICROBLOG_DOMAIN_NAME" + + if [[ "$test_domain_name" == "$WIKI_DOMAIN_NAME" ]]; then + echo $'Microblog domain name is the same as wiki domain name. They must be different' + exit 73924 + fi + if [[ "$test_domain_name" == "$FULLBLOG_DOMAIN_NAME" ]]; then + echo $'Microblog domain name is the same as blog domain name. They must be different' + exit 26832 + fi + if [[ "$test_domain_name" == "$HUBZILLA_DOMAIN_NAME" ]]; then + echo $'Microblog domain name is the same as hubzilla domain name. They must be different' + exit 678382 + fi + if [ $GIT_DOMAIN_NAME ]; then + if [[ "$test_domain_name" == "$GIT_DOMAIN_NAME" ]]; then + echo $'Microblog domain name is the same as Gogs domain name. They must be different' + exit 684325 + fi + fi + fi + + if [ $HUBZILLA_DOMAIN_NAME ]; then + function_check test_domain_name + test_domain_name "$HUBZILLA_DOMAIN_NAME" + + if [[ "$test_domain_name" == "$WIKI_DOMAIN_NAME" ]]; then + echo $'Hubzilla domain name is the same as wiki domain name. They must be different' + exit 83682 + fi + if [[ "$test_domain_name" == "$FULLBLOG_DOMAIN_NAME" ]]; then + echo $'Hubzilla domain name is the same as blog domain name. They must be different' + exit 74817 + fi + if [[ "$test_domain_name" == "$MICROBLOG_DOMAIN_NAME" ]]; then + echo $'Hubzilla domain name is the same as microblog domain name. They must be different' + exit 83683 + fi + if [ ${#GIT_DOMAIN_NAME} -gt 1 ]; then + if [[ "$test_domain_name" == "$GIT_DOMAIN_NAME" ]]; then + echo $'Hubzilla domain name is the same as Gogs domain name. They must be different' + exit 135523 + fi + fi + fi + + if [ ${#GIT_DOMAIN_NAME} -gt 1 ]; then + function_check test_domain_name + test_domain_name "$GIT_DOMAIN_NAME" + + if [[ "$test_domain_name" == "$WIKI_DOMAIN_NAME" ]]; then + echo $'Hubzilla domain name is the same as wiki domain name. They must be different' + exit 83682 + fi + if [[ "$test_domain_name" == "$FULLBLOG_DOMAIN_NAME" ]]; then + echo $'Hubzilla domain name is the same as blog domain name. They must be different' + exit 74817 + fi + if [[ "$test_domain_name" == "$MICROBLOG_DOMAIN_NAME" ]]; then + echo $'Hubzilla domain name is the same as microblog domain name. They must be different' + exit 83683 + fi + if [[ "$test_domain_name" == "$HUBZILLA_DOMAIN_NAME" ]]; then + echo $'Microblog domain name is the same as hubzilla domain name. They must be different' + exit 678382 + fi + fi +} + +# NOTE: deliberately no exit 0 diff --git a/src/freedombone-utils-cron b/src/freedombone-utils-cron new file mode 100755 index 00000000..05f58b76 --- /dev/null +++ b/src/freedombone-utils-cron @@ -0,0 +1,76 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# Cron functions +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +function cron_add_mins { + if ! grep -q "${2}" /etc/crontab; then + echo "*/${1} * * * * root ${2}" >> /etc/crontab + systemctl restart cron + fi +} + +function randomize_cron { + # The predictable default timing of Debian cron jobs might + # be exploitable knowledge. Avoid too much predictability + # by randomizing the times when cron jobs run + if grep -Fxq "randomize_cron" $COMPLETION_FILE; then + return + fi + + # randomize the day on which the weekly cron job runs + randdow=$(($RANDOM%6+1)) + sed -i "s|\* \* 7|* * $randdow|g" /etc/crontab + + # randomize the time when the weekly cron job runs + randmin=$(($RANDOM%60)) + randhr=$(($RANDOM%3+1)) + sed -i "s|47 6|$randmin $randhr|g" /etc/crontab + + # randomize the time when the daily cron job runs + randmin=$(($RANDOM%60)) + randhr=$(($RANDOM%3+4)) + sed -i "s|25 6\t\* \* \*|$randmin $randhr\t* * *|g" /etc/crontab + + # randomize the time when the hourly cron job runs + randmin=$(($RANDOM%60)) + sed -i "s|17 \*\t|$randmin *\t|g" /etc/crontab + + # randomize monthly cron job time and day + randmin=$(($RANDOM%60)) + randhr=$(($RANDOM%22+1)) + randdom=$(($RANDOM%27+1)) + sed -i "s|52 6\t|$randmin $randhr\t|g" /etc/crontab + sed -i "s|\t1 \* \*|\t$randdom * *|g" /etc/crontab + + systemctl restart cron + + echo 'randomize_cron' >> $COMPLETION_FILE +} + +# NOTE: deliberately there is no "exit 0" diff --git a/src/freedombone-utils-database b/src/freedombone-utils-database index 87ab126d..429c558d 100755 --- a/src/freedombone-utils-database +++ b/src/freedombone-utils-database @@ -28,272 +28,298 @@ # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see . +# default MariaDB password +MARIADB_PASSWORD= + +# Used to indicate whether the backup contains MariaDB databases or not +BACKUP_INCLUDES_DATABASES="no" + +# contains the mysql root password which +# is used for backups and repair +DATABASE_PASSWORD_FILE=/root/dbpass + function backup_database_local { -# Makes local backups of databases which can then be automatically rolled -# back if corruption is detected -database_name=$1 + # Makes local backups of databases which can then be automatically rolled + # back if corruption is detected + database_name=$1 -backup_databases_script=/usr/bin/backupdatabases -echo '' >> $backup_databases_script -echo "# Backup the ${database_name} database" >> $backup_databases_script -echo "TEMPFILE=/root/${database_name}.sql" >> $backup_databases_script -echo 'DAILYFILE=/var/backups/${database_name}_daily.sql' >> $backup_databases_script -echo "mysqldump --password=\"\$MYSQL_PASSWORD\" ${database_name} > \$TEMPFILE" >> $backup_databases_script -echo 'FILESIZE=$(stat -c%s $TEMPFILE)' >> $backup_databases_script -echo 'if [ "$FILESIZE" -eq "0" ]; then' >> $backup_databases_script -echo ' if [ -f $DAILYFILE ]; then' >> $backup_databases_script -echo ' cp $DAILYFILE $TEMPFILE' >> $backup_databases_script -echo '' >> $backup_databases_script -echo ' # try to restore yesterdays database' >> $backup_databases_script -echo " mysql -u root --password=\"\$MYSQL_PASSWORD\" ${database_name} -o < \$DAILYFILE" >> $backup_databases_script -echo '' >> $backup_databases_script -echo ' # Send a warning email' >> $backup_databases_script -echo " echo \"Unable to create a backup of the ${database_name} database. Attempted to restore from yesterdays backup\" | mail -s \"${database_name} backup\" \$EMAIL" >> $backup_databases_script -echo ' else' >> $backup_databases_script -echo ' # Send a warning email' >> $backup_databases_script -echo " echo \"Unable to create a backup of the ${database_name} database.\" | mail -s \"${database_name} backup\" \$EMAIL" >> $backup_databases_script -echo ' fi' >> $backup_databases_script -echo 'else' >> $backup_databases_script -echo ' chmod 600 $TEMPFILE' >> $backup_databases_script -echo ' mv $TEMPFILE $DAILYFILE' >> $backup_databases_script -echo '' >> $backup_databases_script -echo ' # Make the backup readable only by root' >> $backup_databases_script -echo ' chmod 600 $DAILYFILE' >> $backup_databases_script -echo 'fi' >> $backup_databases_script + backup_databases_script=/usr/bin/backupdatabases + echo '' >> $backup_databases_script + echo "# Backup the ${database_name} database" >> $backup_databases_script + echo "TEMPFILE=/root/${database_name}.sql" >> $backup_databases_script + echo 'DAILYFILE=/var/backups/${database_name}_daily.sql' >> $backup_databases_script + echo "mysqldump --password=\"\$MYSQL_PASSWORD\" ${database_name} > \$TEMPFILE" >> $backup_databases_script + echo 'FILESIZE=$(stat -c%s $TEMPFILE)' >> $backup_databases_script + echo 'if [ "$FILESIZE" -eq "0" ]; then' >> $backup_databases_script + echo ' if [ -f $DAILYFILE ]; then' >> $backup_databases_script + echo ' cp $DAILYFILE $TEMPFILE' >> $backup_databases_script + echo '' >> $backup_databases_script + echo ' # try to restore yesterdays database' >> $backup_databases_script + echo " mysql -u root --password=\"\$MYSQL_PASSWORD\" ${database_name} -o < \$DAILYFILE" >> $backup_databases_script + echo '' >> $backup_databases_script + echo ' # Send a warning email' >> $backup_databases_script + echo " echo \"Unable to create a backup of the ${database_name} database. Attempted to restore from yesterdays backup\" | mail -s \"${database_name} backup\" \$EMAIL" >> $backup_databases_script + echo ' else' >> $backup_databases_script + echo ' # Send a warning email' >> $backup_databases_script + echo " echo \"Unable to create a backup of the ${database_name} database.\" | mail -s \"${database_name} backup\" \$EMAIL" >> $backup_databases_script + echo ' fi' >> $backup_databases_script + echo 'else' >> $backup_databases_script + echo ' chmod 600 $TEMPFILE' >> $backup_databases_script + echo ' mv $TEMPFILE $DAILYFILE' >> $backup_databases_script + echo '' >> $backup_databases_script + echo ' # Make the backup readable only by root' >> $backup_databases_script + echo ' chmod 600 $DAILYFILE' >> $backup_databases_script + echo 'fi' >> $backup_databases_script -weekly_backup_script=/etc/cron.weekly/backupdatabasesweekly -if ! grep -q "${database_name}" ${weekly_backup_script}; then -echo '' >> ${weekly_backup_script} -echo "# ${database_name}" >> ${weekly_backup_script} -echo "if [ -f /var/backups/${database_name}_weekly.sql ]; then" >> ${weekly_backup_script} -echo " cp -f /var/backups/${database_name}_weekly.sql /var/backups/${database_name}_2weekly.sql" >> ${weekly_backup_script} -echo 'fi' >> ${weekly_backup_script} -echo "if [ -f /var/backups/${database_name}_daily.sql ]; then" >> ${weekly_backup_script} -echo " cp -f /var/backups/${database_name}_daily.sql /var/backups/${database_name}_weekly.sql" >> ${weekly_backup_script} -echo 'fi' >> ${weekly_backup_script} -fi + weekly_backup_script=/etc/cron.weekly/backupdatabasesweekly + if ! grep -q "${database_name}" ${weekly_backup_script}; then + echo '' >> ${weekly_backup_script} + echo "# ${database_name}" >> ${weekly_backup_script} + echo "if [ -f /var/backups/${database_name}_weekly.sql ]; then" >> ${weekly_backup_script} + echo " cp -f /var/backups/${database_name}_weekly.sql /var/backups/${database_name}_2weekly.sql" >> ${weekly_backup_script} + echo 'fi' >> ${weekly_backup_script} + echo "if [ -f /var/backups/${database_name}_daily.sql ]; then" >> ${weekly_backup_script} + echo " cp -f /var/backups/${database_name}_daily.sql /var/backups/${database_name}_weekly.sql" >> ${weekly_backup_script} + echo 'fi' >> ${weekly_backup_script} + fi -monthly_backup_script=/etc/cron.monthly/backupdatabasesmonthly -if ! grep -q "${database_name}" ${monthly_backup_script}; then -echo '' >> ${monthly_backup_script} -echo "# ${database_name}" >> ${monthly_backup_script} -echo "if [ -f /var/backups/${database_name}_monthly.sql ]; then" >> ${monthly_backup_script} -echo " cp -f /var/backups/${database_name}_monthly.sql /var/backups/${database_name}_2monthly.sql" >> ${monthly_backup_script} -echo 'fi' >> ${monthly_backup_script} -echo "if [ -f /var/backups/${database_name}_weekly.sql ]; then" >> ${monthly_backup_script} -echo " cp -f /var/backups/${database_name}_weekly.sql /var/backups/${database_name}_monthly.sql" >> ${monthly_backup_script} -echo 'fi' >> ${monthly_backup_script} -fi + monthly_backup_script=/etc/cron.monthly/backupdatabasesmonthly + if ! grep -q "${database_name}" ${monthly_backup_script}; then + echo '' >> ${monthly_backup_script} + echo "# ${database_name}" >> ${monthly_backup_script} + echo "if [ -f /var/backups/${database_name}_monthly.sql ]; then" >> ${monthly_backup_script} + echo " cp -f /var/backups/${database_name}_monthly.sql /var/backups/${database_name}_2monthly.sql" >> ${monthly_backup_script} + echo 'fi' >> ${monthly_backup_script} + echo "if [ -f /var/backups/${database_name}_weekly.sql ]; then" >> ${monthly_backup_script} + echo " cp -f /var/backups/${database_name}_weekly.sql /var/backups/${database_name}_monthly.sql" >> ${monthly_backup_script} + echo 'fi' >> ${monthly_backup_script} + fi -if ! grep -q "${database_name}" /etc/cron.hourly/repair; then -echo "${PROJECT_NAME}-repair-database ${database_name}" >> /etc/cron.hourly/repair -# remove legacy stuff -sed -i 's|/usr/bin/repairdatabase redmatrix||g' /etc/cron.hourly/repair -fi + if ! grep -q "${database_name}" /etc/cron.hourly/repair; then + echo "${PROJECT_NAME}-repair-database ${database_name}" >> /etc/cron.hourly/repair + # remove legacy stuff + sed -i 's|/usr/bin/repairdatabase redmatrix||g' /etc/cron.hourly/repair + fi } function get_mariadb_password { -if [ -f /home/$MY_USERNAME/README ]; then -if grep -q "MariaDB password" /home/$MY_USERNAME/README; then -if [ -f $DATABASE_PASSWORD_FILE ]; then -MARIADB_PASSWORD=$(cat $DATABASE_PASSWORD_FILE) -else -MARIADB_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "MariaDB password" | awk -F ':' '{print $2}' | sed 's/^ *//') -echo "$MARIADB_PASSWORD" > $DATABASE_PASSWORD_FILE -chmod 600 $DATABASE_PASSWORD_FILE -fi -fi -fi + if [ -f /home/$MY_USERNAME/README ]; then + if grep -q "MariaDB password" /home/$MY_USERNAME/README; then + if [ -f $DATABASE_PASSWORD_FILE ]; then + MARIADB_PASSWORD=$(cat $DATABASE_PASSWORD_FILE) + else + MARIADB_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "MariaDB password" | awk -F ':' '{print $2}' | sed 's/^ *//') + echo "$MARIADB_PASSWORD" > $DATABASE_PASSWORD_FILE + chmod 600 $DATABASE_PASSWORD_FILE + fi + fi + fi } function get_mariadb_media_server_admin_password { -if [ -f /home/$MY_USERNAME/README ]; then -if grep -q "Media server administrator password" /home/$MY_USERNAME/README; then -MEDIA_SERVER_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "Media server administrator password" | awk -F ':' '{print $2}' | sed 's/^ *//') -fi -fi + if [ -f /home/$MY_USERNAME/README ]; then + if grep -q "Media server administrator password" /home/$MY_USERNAME/README; then + MEDIA_SERVER_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "Media server administrator password" | awk -F ':' '{print $2}' | sed 's/^ *//') + fi + fi } function get_mariadb_gnusocial_admin_password { -if [ -f /home/$MY_USERNAME/README ]; then -if grep -q "MariaDB gnusocial admin password" /home/$MY_USERNAME/README; then -MICROBLOG_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "MariaDB gnusocial admin password" | awk -F ':' '{print $2}' | sed 's/^ *//') -fi -if grep -q "Microblog administrator password" /home/$MY_USERNAME/README; then -MICROBLOG_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "Microblog administrator password" | awk -F ':' '{print $2}' | sed 's/^ *//') -fi -fi + if [ -f /home/$MY_USERNAME/README ]; then + if grep -q "MariaDB gnusocial admin password" /home/$MY_USERNAME/README; then + MICROBLOG_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "MariaDB gnusocial admin password" | awk -F ':' '{print $2}' | sed 's/^ *//') + fi + if grep -q "Microblog administrator password" /home/$MY_USERNAME/README; then + MICROBLOG_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "Microblog administrator password" | awk -F ':' '{print $2}' | sed 's/^ *//') + fi + fi } function get_mariadb_webmail_admin_password { -if [ -f /home/$MY_USERNAME/README ]; then -if grep -q "MariaDB webmail admin password" /home/$MY_USERNAME/README; then -WEBMAIL_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "MariaDB webmail admin password" | awk -F ':' '{print $2}' | sed 's/^ *//') -fi -fi + if [ -f /home/$MY_USERNAME/README ]; then + if grep -q "MariaDB webmail admin password" /home/$MY_USERNAME/README; then + WEBMAIL_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "MariaDB webmail admin password" | awk -F ':' '{print $2}' | sed 's/^ *//') + fi + fi } function get_mariadb_rss_reader_admin_password { -if [ -f /home/$MY_USERNAME/README ]; then -if grep -q "RSS reader admin password" /home/$MY_USERNAME/README; then -RSS_READER_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "RSS reader admin password" | awk -F ':' '{print $2}' | sed 's/^ *//') -fi -fi + if [ -f /home/$MY_USERNAME/README ]; then + if grep -q "RSS reader admin password" /home/$MY_USERNAME/README; then + RSS_READER_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "RSS reader admin password" | awk -F ':' '{print $2}' | sed 's/^ *//') + fi + fi } function get_mariadb_git_admin_password { -if [ -f /home/$MY_USERNAME/README ]; then -if grep -q "Gogs admin user password" /home/$MY_USERNAME/README; then -GIT_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "Gogs admin user password" | awk -F ':' '{print $2}' | sed 's/^ *//') -fi -fi + if [ -f /home/$MY_USERNAME/README ]; then + if grep -q "Gogs admin user password" /home/$MY_USERNAME/README; then + GIT_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "Gogs admin user password" | awk -F ':' '{print $2}' | sed 's/^ *//') + fi + fi } function get_mariadb_hubzilla_admin_password { -if [ -f /home/$MY_USERNAME/README ]; then -if grep -q "MariaDB Hubzilla admin password" /home/$MY_USERNAME/README; then -HUBZILLA_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "MariaDB Hubzilla admin password" | awk -F ':' '{print $2}' | sed 's/^ *//') -fi -fi + if [ -f /home/$MY_USERNAME/README ]; then + if grep -q "MariaDB Hubzilla admin password" /home/$MY_USERNAME/README; then + HUBZILLA_ADMIN_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "MariaDB Hubzilla admin password" | awk -F ':' '{print $2}' | sed 's/^ *//') + fi + fi } function install_mariadb { -if grep -Fxq "install_mariadb" $COMPLETION_FILE; then -return -fi -apt-get -y install python-software-properties debconf-utils -apt-get -y install software-properties-common -apt-get -y update + if grep -Fxq "install_mariadb" $COMPLETION_FILE; then + return + fi + apt-get -y install python-software-properties debconf-utils + apt-get -y install software-properties-common + apt-get -y update -get_mariadb_password -if [ ! $MARIADB_PASSWORD ]; then -if [ -f $IMAGE_PASSWORD_FILE ]; then -MARIADB_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)" -else -MARIADB_PASSWORD="$(openssl rand -base64 32 | cut -c1-${MINIMUM_PASSWORD_LENGTH})" -fi -echo "$MARIADB_PASSWORD" > $DATABASE_PASSWORD_FILE -chmod 600 $DATABASE_PASSWORD_FILE + function_check get_mariadb_password + get_mariadb_password + if [ ! $MARIADB_PASSWORD ]; then + if [ -f $IMAGE_PASSWORD_FILE ]; then + MARIADB_PASSWORD="$(printf `cat $IMAGE_PASSWORD_FILE`)" + else + MARIADB_PASSWORD="$(openssl rand -base64 32 | cut -c1-${MINIMUM_PASSWORD_LENGTH})" + fi + echo "$MARIADB_PASSWORD" > $DATABASE_PASSWORD_FILE + chmod 600 $DATABASE_PASSWORD_FILE -echo '' >> /home/$MY_USERNAME/README -echo '' >> /home/$MY_USERNAME/README -echo 'MariaDB / MySql' >> /home/$MY_USERNAME/README -echo '===============' >> /home/$MY_USERNAME/README -echo $"Your MariaDB password is: $MARIADB_PASSWORD" >> /home/$MY_USERNAME/README -echo '' >> /home/$MY_USERNAME/README -chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README -chmod 600 /home/$MY_USERNAME/README -fi + echo '' >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + echo 'MariaDB / MySql' >> /home/$MY_USERNAME/README + echo '===============' >> /home/$MY_USERNAME/README + echo $"Your MariaDB password is: $MARIADB_PASSWORD" >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README + chmod 600 /home/$MY_USERNAME/README + fi -debconf-set-selections <<< "mariadb-server mariadb-server/root_password password $MARIADB_PASSWORD" -debconf-set-selections <<< "mariadb-server mariadb-server/root_password_again password $MARIADB_PASSWORD" -apt-get -y install mariadb-server -apt-get -y remove --purge apache* -if [ -d /etc/apache2 ]; then -rm -rf /etc/apache2 -echo $'Removed Apache installation after MariaDB install' -fi + debconf-set-selections <<< "mariadb-server mariadb-server/root_password password $MARIADB_PASSWORD" + debconf-set-selections <<< "mariadb-server mariadb-server/root_password_again password $MARIADB_PASSWORD" + apt-get -y install mariadb-server + apt-get -y remove --purge apache* + if [ -d /etc/apache2 ]; then + rm -rf /etc/apache2 + echo $'Removed Apache installation after MariaDB install' + fi -if [ ! -d /etc/mysql ]; then -echo $"ERROR: mariadb-server does not appear to have installed. $CHECK_MESSAGE" -exit 54 -fi + if [ ! -d /etc/mysql ]; then + echo $"ERROR: mariadb-server does not appear to have installed. $CHECK_MESSAGE" + exit 54 + fi -mysqladmin -u root password "$MARIADB_PASSWORD" -echo 'install_mariadb' >> $COMPLETION_FILE + mysqladmin -u root password "$MARIADB_PASSWORD" + echo 'install_mariadb' >> $COMPLETION_FILE } function backup_databases_script_header { -if [ ! -f /usr/bin/backupdatabases ]; then -# daily -echo '#!/bin/sh' > /usr/bin/backupdatabases -echo '' >> /usr/bin/backupdatabases -echo "EMAIL='$MY_EMAIL_ADDRESS'" >> /usr/bin/backupdatabases -echo '' >> /usr/bin/backupdatabases -echo -n 'MYSQL_PASSWORD=$(cat ' >> /usr/bin/backupdatabases -echo "$DATABASE_PASSWORD_FILE)" >> /usr/bin/backupdatabases -echo 'umask 0077' >> /usr/bin/backupdatabases -echo '' >> /usr/bin/backupdatabases -echo '# exit if we are backing up to friends servers' >> /usr/bin/backupdatabases -echo "if [ -f $FRIENDS_SERVERS_LIST ]; then" >> /usr/bin/backupdatabases -echo ' exit 1' >> /usr/bin/backupdatabases -echo 'fi' >> /usr/bin/backupdatabases -chmod 600 /usr/bin/backupdatabases -chmod +x /usr/bin/backupdatabases + if [ ! -f /usr/bin/backupdatabases ]; then + # daily + echo '#!/bin/sh' > /usr/bin/backupdatabases + echo '' >> /usr/bin/backupdatabases + echo "EMAIL='$MY_EMAIL_ADDRESS'" >> /usr/bin/backupdatabases + echo '' >> /usr/bin/backupdatabases + echo -n 'MYSQL_PASSWORD=$(cat ' >> /usr/bin/backupdatabases + echo "$DATABASE_PASSWORD_FILE)" >> /usr/bin/backupdatabases + echo 'umask 0077' >> /usr/bin/backupdatabases + echo '' >> /usr/bin/backupdatabases + echo '# exit if we are backing up to friends servers' >> /usr/bin/backupdatabases + echo "if [ -f $FRIENDS_SERVERS_LIST ]; then" >> /usr/bin/backupdatabases + echo ' exit 1' >> /usr/bin/backupdatabases + echo 'fi' >> /usr/bin/backupdatabases + chmod 600 /usr/bin/backupdatabases + chmod +x /usr/bin/backupdatabases -echo '#!/bin/sh' > /etc/cron.daily/backupdatabasesdaily -echo '/usr/bin/backupdatabases' >> /etc/cron.daily/backupdatabasesdaily -chmod 600 /etc/cron.daily/backupdatabasesdaily -chmod +x /etc/cron.daily/backupdatabasesdaily + echo '#!/bin/sh' > /etc/cron.daily/backupdatabasesdaily + echo '/usr/bin/backupdatabases' >> /etc/cron.daily/backupdatabasesdaily + chmod 600 /etc/cron.daily/backupdatabasesdaily + chmod +x /etc/cron.daily/backupdatabasesdaily -# weekly -echo '#!/bin/sh' > /etc/cron.weekly/backupdatabasesweekly -echo '' >> /etc/cron.weekly/backupdatabasesweekly -echo 'umask 0077' >> /etc/cron.weekly/backupdatabasesweekly + # weekly + echo '#!/bin/sh' > /etc/cron.weekly/backupdatabasesweekly + echo '' >> /etc/cron.weekly/backupdatabasesweekly + echo 'umask 0077' >> /etc/cron.weekly/backupdatabasesweekly -chmod 600 /etc/cron.weekly/backupdatabasesweekly -chmod +x /etc/cron.weekly/backupdatabasesweekly + chmod 600 /etc/cron.weekly/backupdatabasesweekly + chmod +x /etc/cron.weekly/backupdatabasesweekly -# monthly -echo '#!/bin/sh' > /etc/cron.monthly/backupdatabasesmonthly -echo '' >> /etc/cron.monthly/backupdatabasesmonthly -echo 'umask 0077' >> /etc/cron.monthly/backupdatabasesmonthly + # monthly + echo '#!/bin/sh' > /etc/cron.monthly/backupdatabasesmonthly + echo '' >> /etc/cron.monthly/backupdatabasesmonthly + echo 'umask 0077' >> /etc/cron.monthly/backupdatabasesmonthly -chmod 600 /etc/cron.monthly/backupdatabasesmonthly -chmod +x /etc/cron.monthly/backupdatabasesmonthly -fi + chmod 600 /etc/cron.monthly/backupdatabasesmonthly + chmod +x /etc/cron.monthly/backupdatabasesmonthly + fi } function repair_databases_script { -if [ -f /etc/cron.hourly/repair ]; then -sed -i "s|/usr/bin/repairdatabase|${PROJECT_NAME}-repair-database|g" /etc/cron.hourly/repair -fi + if [ -f /etc/cron.hourly/repair ]; then + sed -i "s|/usr/bin/repairdatabase|${PROJECT_NAME}-repair-database|g" /etc/cron.hourly/repair + fi -if grep -Fxq "repair_databases_script" $COMPLETION_FILE; then -return -fi + if grep -Fxq "repair_databases_script" $COMPLETION_FILE; then + return + fi -if [ ! -f $DATABASE_PASSWORD_FILE ]; then -return -fi + if [ ! -f $DATABASE_PASSWORD_FILE ]; then + return + fi -echo '#!/bin/bash' > /etc/cron.hourly/repair -echo '' >> /etc/cron.hourly/repair -chmod 600 /etc/cron.hourly/repair -chmod +x /etc/cron.hourly/repair + echo '#!/bin/bash' > /etc/cron.hourly/repair + echo '' >> /etc/cron.hourly/repair + chmod 600 /etc/cron.hourly/repair + chmod +x /etc/cron.hourly/repair -echo 'repair_databases_script' >> $COMPLETION_FILE + echo 'repair_databases_script' >> $COMPLETION_FILE } function remove_database { -app_name="$1" -if [ ! -d $INSTALL_DIR ]; then -mkdir $INSTALL_DIR -fi -echo "drop database ${app_name}; + app_name="$1" + if [ ! -d $INSTALL_DIR ]; then + mkdir $INSTALL_DIR + fi + echo "drop database ${app_name}; quit" > $INSTALL_DIR/batch.sql -chmod 600 $INSTALL_DIR/batch.sql -mysql -u root --password="$MARIADB_PASSWORD" < $INSTALL_DIR/batch.sql -shred -zu $INSTALL_DIR/batch.sql + chmod 600 $INSTALL_DIR/batch.sql + mysql -u root --password="$MARIADB_PASSWORD" < $INSTALL_DIR/batch.sql + shred -zu $INSTALL_DIR/batch.sql } function create_database { -app_name="$1" -app_admin_password="$2" -app_admin_username=$3 -if [ ! -d $INSTALL_DIR ]; then -mkdir $INSTALL_DIR -fi -if [ ! $app_admin_username ]; then -app_admin_username=${app_name}admin -fi -echo "create database ${app_name}; + app_name="$1" + app_admin_password="$2" + app_admin_username=$3 + if [ ! -d $INSTALL_DIR ]; then + mkdir $INSTALL_DIR + fi + if [ ! $app_admin_username ]; then + app_admin_username=${app_name}admin + fi + echo "create database ${app_name}; CREATE USER '$app_admin_username@localhost' IDENTIFIED BY '${app_admin_password}'; GRANT ALL PRIVILEGES ON ${app_name}.* TO '$app_admin_username@localhost'; quit" > $INSTALL_DIR/batch.sql -chmod 600 $INSTALL_DIR/batch.sql -mysql -u root --password="$MARIADB_PASSWORD" < $INSTALL_DIR/batch.sql -shred -zu $INSTALL_DIR/batch.sql + chmod 600 $INSTALL_DIR/batch.sql + mysql -u root --password="$MARIADB_PASSWORD" < $INSTALL_DIR/batch.sql + shred -zu $INSTALL_DIR/batch.sql +} + +function initialise_database { + database_name=$1 + database_file=$2 + mysql -u root --password="$MARIADB_PASSWORD" -D $database_name < $database_file + if [ ! "$?" = "0" ]; then + exit 62952 + fi +} + +function run_query { + database_name=$1 + database_query=$2 + mysql -u root --password="$MARIADB_PASSWORD" -e "$database_query" $database_name } # NOTE: deliberately there is no "exit 0" diff --git a/src/freedombone-utils-depends b/src/freedombone-utils-depends new file mode 100755 index 00000000..ceb19337 --- /dev/null +++ b/src/freedombone-utils-depends @@ -0,0 +1,39 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# Dependency checking functions +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +function function_check { + if [ ! "$(type ${1} 2>/dev/null)" ]; then + echo $"Dependency error: The function ${1} has not been defined" + exit 72528 + fi +} + + +# NOTE: deliberately there is no "exit 0" diff --git a/src/freedombone-utils-dns b/src/freedombone-utils-dns new file mode 100755 index 00000000..7978089b --- /dev/null +++ b/src/freedombone-utils-dns @@ -0,0 +1,241 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# DNS functions +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# DNS +NAMESERVER1='213.73.91.35' +NAMESERVER2='85.214.20.141' + +# parameters used when adding a new domain +DDNS_PROVIDER="default@freedns.afraid.org" +DDNS_USERNAME= +DDNS_PASSWORD= + +INADYN_REPO="https://github.com/bashrc/inadyn" +INADYN_COMMIT='fadbe17f520d337dfb8d69ee4bf1fcaa23fce0d6' + +# web site used to obtain the external IP address of the system +GET_IP_ADDRESS_URL="checkip.two-dns.de" + +# other possible services to obtain the external IP address +EXTERNAL_IP_SERVICES=( \ + 'https://check.torproject.org/' \ + 'https://www.whatsmydns.net/whats-my-ip-address.html' \ + 'https://www.privateinternetaccess.com/pages/whats-my-ip/' \ + 'http://checkip.two-dns.de' \ + 'http://ip.dnsexit.com' \ + 'http://ifconfig.me/ip' \ + 'http://ipecho.net/plain' \ + 'http://checkip.dyndns.org/plain' \ + 'http://ipogre.com/linux.php' \ + 'http://whatismyipaddress.com/' \ + 'http://ip.my-proxy.com/' \ + 'http://websiteipaddress.com/WhatIsMyIp' \ + 'http://getmyipaddress.org/' \ + 'http://www.my-ip-address.net/' \ + 'http://myexternalip.com/raw' \ + 'http://www.canyouseeme.org/' \ + 'http://www.trackip.net/' \ + 'http://icanhazip.com/' \ + 'http://www.iplocation.net/' \ + 'http://www.howtofindmyipaddress.com/' \ + 'http://www.ipchicken.com/' \ + 'http://whatsmyip.net/' \ + 'http://www.ip-adress.com/' \ + 'http://checkmyip.com/' \ + 'http://www.tracemyip.org/' \ + 'http://checkmyip.net/' \ + 'http://www.lawrencegoetz.com/programs/ipinfo/' \ + 'http://www.findmyip.co/' \ + 'http://ip-lookup.net/' \ + 'http://www.dslreports.com/whois' \ + 'http://www.mon-ip.com/en/my-ip/' \ + 'http://www.myip.ru' \ + 'http://ipgoat.com/' \ + 'http://www.myipnumber.com/my-ip-address.asp' \ + 'http://www.whatsmyipaddress.net/' \ + 'http://formyip.com/' \ + 'http://www.displaymyip.com/' \ + 'http://www.bobborst.com/tools/whatsmyip/' \ + 'http://www.geoiptool.com/' \ + 'http://checkip.dyndns.com/' \ + 'http://myexternalip.com/' \ + 'http://www.ip-adress.eu/' \ + 'http://www.infosniper.net/' \ + 'http://wtfismyip.com/' \ + 'http://ipinfo.io/' \ + 'http://httpbin.org/ip') + +function create_freedns_updater { + if [[ $ONION_ONLY != "no" ]]; then + return + fi + + # currently inadyn doesn't work as expected with freeDNS, so this is a workaround + if grep -Fxq "create_freedns_updater" $COMPLETION_FILE; then + return + fi + if [[ $DDNS_PROVIDER != "default@freedns.afraid.org" ]]; then + return + fi + if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + + FREEDNS_WGET='wget -q --read-timeout=0.0 --waitretry=5 --tries=4 https://freedns.afraid.org/dynamic/update.php?' + + echo '#!/bin/bash' > /usr/bin/dynamicdns + echo 'cd /tmp' >> /usr/bin/dynamicdns + if [ $DEFAULT_DOMAIN_CODE ]; then + echo "# $DEFAULT_DOMAIN_NAME" >> /usr/bin/dynamicdns + echo "$FREEDNS_WGET$DEFAULT_DOMAIN_CODE=" >> /usr/bin/dynamicdns + fi + if [ $WIKI_CODE ]; then + if [[ $WIKI_CODE != "$DEFAULT_DOMAIN_CODE" ]]; then + echo "# $WIKI_DOMAIN_NAME" >> /usr/bin/dynamicdns + echo "$FREEDNS_WGET$WIKI_CODE=" >> /usr/bin/dynamicdns + fi + fi + if [ $FULLBLOG_CODE ]; then + if [[ $FULLBLOG_CODE != "$DEFAULT_DOMAIN_CODE" ]]; then + echo "# $FULLBLOG_DOMAIN_NAME" >> /usr/bin/dynamicdns + echo "$FREEDNS_WGET$FULLBLOG_CODE=" >> /usr/bin/dynamicdns + fi + fi + if [ $HUBZILLA_CODE ]; then + if [[ $HUBZILLA_CODE != "$DEFAULT_DOMAIN_CODE" ]]; then + echo "# $HUBZILLA_DOMAIN_NAME" >> /usr/bin/dynamicdns + echo "$FREEDNS_WGET$HUBZILLA_CODE=" >> /usr/bin/dynamicdns + fi + fi + if [ $MICROBLOG_CODE ]; then + if [[ $MICROBLOG_CODE != "$DEFAULT_DOMAIN_CODE" ]]; then + echo "# $MICROBLOG_DOMAIN_NAME" >> /usr/bin/dynamicdns + echo "$FREEDNS_WGET$MICROBLOG_CODE=" >> /usr/bin/dynamicdns + fi + fi + if [ $GIT_CODE ]; then + if [[ $GIT_CODE != "$DEFAULT_DOMAIN_CODE" ]]; then + echo "# $GIT_DOMAIN_NAME" >> /usr/bin/dynamicdns + echo "$FREEDNS_WGET$GIT_CODE=" >> /usr/bin/dynamicdns + fi + fi + if [ $MEDIAGOBLIN_CODE ]; then + if [[ $MEDIAGOBLIN_CODE != "$DEFAULT_DOMAIN_CODE" ]]; then + echo "# $MEDIAGOBLIN_DOMAIN_NAME" >> /usr/bin/dynamicdns + echo "$FREEDNS_WGET$MEDIAGOBLIN_CODE=" >> /usr/bin/dynamicdns + fi + fi + echo 'exit 0' >> /usr/bin/dynamicdns + chmod 600 /usr/bin/dynamicdns + chmod +x /usr/bin/dynamicdns + + if ! grep -q "/usr/bin/dynamicdns" /etc/crontab; then + function_check cron_add_mins + cron_add_mins 3 '/usr/bin/dynamicdns' + systemctl restart cron + fi + + echo 'create_freedns_updater' >> $COMPLETION_FILE +} + +function add_ddns_domain { + if [ ! $1 ]; then + echo $'ddns domain not specified' + exit 5638 + fi + CURRENT_DDNS_DOMAIN="$1" + if [[ $ONION_ONLY != "no" ]]; then + return + fi + if [ ! -f /etc/inadyn.conf ]; then + echo $'Unable to find inadyn configuration file /etc/inadyn.conf' + exit 5745 + fi + if ! grep -q "$DDNS_PROVIDER" /etc/inadyn.conf; then + echo '' >> /etc/inadyn.conf + echo "system $DDNS_PROVIDER" >> /etc/inadyn.conf + echo ' ssl' >> /etc/inadyn.conf + echo " checkip-url $GET_IP_ADDRESS_URL /" >> /etc/inadyn.conf + if [ $DDNS_USERNAME ]; then + echo " username $DDNS_USERNAME" >> /etc/inadyn.conf + fi + if [ $DDNS_PASSWORD ]; then + echo " password $DDNS_PASSWORD" >> /etc/inadyn.conf + fi + fi + + if ! grep -q "$CURRENT_DDNS_DOMAIN" /etc/inadyn.conf; then + echo " alias $CURRENT_DDNS_DOMAIN" >> /etc/inadyn.conf + fi + chmod 600 /etc/inadyn.conf + systemctl restart inadyn + systemctl daemon-reload +} + +function configure_dns { + if grep -Fxq "configure_dns" $COMPLETION_FILE; then + return + fi + echo 'domain localdomain' > /etc/resolv.conf + echo 'search localdomain' >> /etc/resolv.conf + echo "nameserver $NAMESERVER1" >> /etc/resolv.conf + echo "nameserver $NAMESERVER2" >> /etc/resolv.conf + + # prevent resolv.conf from changing + chattr +i /etc/resolv.conf + + echo 'configure_dns' >> $COMPLETION_FILE +} + +function set_hostname { + DEFAULT_DOMAIN_NAME="$1" + + echo "$DEFAULT_DOMAIN_NAME" > /etc/hostname + hostname $DEFAULT_DOMAIN_NAME + + if grep -q "127.0.1.1" /etc/hosts; then + sed -i "s/127.0.1.1.*/127.0.1.1 $DEFAULT_DOMAIN_NAME/g" /etc/hosts + else + echo "127.0.1.1 $DEFAULT_DOMAIN_NAME" >> /etc/hosts + fi +} + +function set_your_domain_name { + if grep -Fxq "set_your_domain_name" $COMPLETION_FILE; then + return + fi + + function_check set_hostname + set_hostname $DEFAULT_DOMAIN_NAME + + echo 'set_your_domain_name' >> $COMPLETION_FILE +} + +# NOTE: deliberately no exit 0 diff --git a/src/freedombone-utils-final b/src/freedombone-utils-final new file mode 100644 index 00000000..e7807f79 --- /dev/null +++ b/src/freedombone-utils-final @@ -0,0 +1,80 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# Final stage of install +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +OPEN_PORTS=() + +function install_final { + if grep -Fxq "install_final" $COMPLETION_FILE; then + return + fi + # unmount any attached usb drive + if [ -d $USB_MOUNT ]; then + umount $USB_MOUNT + rm -rf $USB_MOUNT + fi + function_check split_gpg_key_into_fragments + split_gpg_key_into_fragments + echo 'install_final' >> $COMPLETION_FILE + clear + echo '' + + echo $" + *** ${PROJECT_NAME} installation is complete. Rebooting... *** + + Now forward these ports from your internet router +" + for p in "${OPEN_PORTS[@]}" + do + echo " $p" + done + echo '' + + if [ -f "/home/$MY_USERNAME/README" ]; then + echo $"See /home/$MY_USERNAME/README for post-installation instructions." + echo '' + fi + # add user menu on ssh login + if ! grep -q 'control' /home/$MY_USERNAME/.bashrc; then + echo 'control' >> /home/$MY_USERNAME/.bashrc + fi + if [ ! -f $IMAGE_PASSWORD_FILE ]; then + reboot + fi +} + +function setup_final { + function_check intrusion_detection + intrusion_detection + + function_check install_final + install_final +} + +# NOTE: deliberately no exit 0 diff --git a/src/freedombone-utils-firewall b/src/freedombone-utils-firewall new file mode 100755 index 00000000..118de875 --- /dev/null +++ b/src/freedombone-utils-firewall @@ -0,0 +1,521 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# Firewall functions +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +function save_firewall_settings { + iptables-save > /etc/firewall.conf + ip6tables-save > /etc/firewall6.conf + printf '#!/bin/sh\n' > /etc/network/if-up.d/iptables + printf 'iptables-restore < /etc/firewall.conf\n' >> /etc/network/if-up.d/iptables + printf 'ip6tables-restore < /etc/firewall6.conf\n' >> /etc/network/if-up.d/iptables + chmod +x /etc/network/if-up.d/iptables +} + +function enable_ipv6 { + # endure that ipv6 is enabled and can route + sed -i 's/net.ipv6.conf.all.disable_ipv6.*/net.ipv6.conf.all.disable_ipv6 = 0/g' /etc/sysctl.conf + #sed -i "s/net.ipv6.conf.all.accept_redirects.*/net.ipv6.conf.all.accept_redirects = 1/g" /etc/sysctl.conf + #sed -i "s/net.ipv6.conf.all.accept_source_route.*/net.ipv6.conf.all.accept_source_route = 1/g" /etc/sysctl.conf + sed -i "s/net.ipv6.conf.all.forwarding.*/net.ipv6.conf.all.forwarding=1/g" /etc/sysctl.conf + echo 1 > /proc/sys/net/ipv6/conf/all/forwarding +} + +function configure_firewall { + if grep -q "RELATED" /etc/firewall.conf; then + # recreate the firewall to remove RELATED + sed -i "/firewall/d" $COMPLETION_FILE + fi + if grep -Fxq "configure_firewall" $COMPLETION_FILE; then + return + fi + if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then + # docker does its own firewalling + return + fi + iptables -P INPUT ACCEPT + ip6tables -P INPUT ACCEPT + iptables -F + ip6tables -F + iptables -t nat -F + ip6tables -t nat -F + iptables -X + ip6tables -X + iptables -P INPUT DROP + ip6tables -P INPUT DROP + iptables -A INPUT -i lo -j ACCEPT + iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT + + # Make sure incoming tcp connections are SYN packets + iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP + + # Drop packets with incoming fragments + iptables -A INPUT -f -j DROP + + # Drop bogons + iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP + iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP + iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP + + # Incoming malformed NULL packets: + iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP + + echo 'configure_firewall' >> $COMPLETION_FILE +} + +function configure_firewall_ping { + if grep -Fxq "configure_firewall_ping" $COMPLETION_FILE; then + return + fi + # Only allow ping for mesh installs + if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then + return + fi + iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT + iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT + function_check save_firewall_settings + save_firewall_settings + echo 'configure_firewall_ping' >> $COMPLETION_FILE +} + +function configure_firewall_for_voip { + if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then + return + fi + if grep -Fxq "configure_firewall_for_voip" $COMPLETION_FILE; then + return + fi + if [[ $ONION_ONLY != "no" ]]; then + return + fi + iptables -A INPUT -p udp --dport $VOIP_PORT -j ACCEPT + iptables -A INPUT -p tcp --dport $VOIP_PORT -j ACCEPT + function_check save_firewall_settings + save_firewall_settings + + OPEN_PORTS+=("Mumble $VOIP_PORT") + echo 'configure_firewall_for_voip' >> $COMPLETION_FILE +} + +function configure_firewall_for_syncthing { + if grep -Fxq "configure_firewall_for_syncthing" $COMPLETION_FILE; then + return + fi + iptables -A INPUT -p udp --dport $SYNCTHING_PORT -j ACCEPT + iptables -A INPUT -p tcp --dport $SYNCTHING_PORT -j ACCEPT + function_check save_firewall_settings + save_firewall_settings + + OPEN_PORTS+=("Syncthing $SYNCTHING_PORT") + echo 'configure_firewall_for_syncthing' >> $COMPLETION_FILE +} + +function configure_firewall_for_voip_turn { + if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then + return + fi + if grep -Fxq "configure_firewall_for_voip_turn" $COMPLETION_FILE; then + return + fi + if [[ $ONION_ONLY != "no" ]]; then + return + fi + iptables -A INPUT -p udp --dport $VOIP_TURN_PORT -j ACCEPT + iptables -A INPUT -p tcp --dport $VOIP_TURN_PORT -j ACCEPT + iptables -A INPUT -p tcp --dport $VOIP_TURN_TLS_PORT -j ACCEPT + function_check save_firewall_settings + save_firewall_settings + + OPEN_PORTS+=("TURN $VOIP_TURN_PORT") + OPEN_PORTS+=("TURN TLS $VOIP_TURN_TLS_PORT") + echo 'configure_firewall_for_voip_turn' >> $COMPLETION_FILE +} + + +function configure_firewall_for_sip4 { + if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then + return + fi + if grep -Fxq "configure_firewall_for_sip4" $COMPLETION_FILE; then + return + fi + if [[ $ONION_ONLY != "no" ]]; then + return + fi + iptables -A INPUT -p udp --dport $SIP_PORT -j ACCEPT + iptables -A INPUT -p tcp --dport $SIP_PORT -j ACCEPT + iptables -A INPUT -p udp --dport $SIP_TLS_PORT -j ACCEPT + iptables -A INPUT -p tcp --dport $SIP_TLS_PORT -j ACCEPT + function_check save_firewall_settings + save_firewall_settings + + OPEN_PORTS+=("SIP $SIP_PORT") + OPEN_PORTS+=("SIP TLS $SIP_TLS_PORT") + echo 'configure_firewall_for_sip4' >> $COMPLETION_FILE +} + +function configure_firewall_for_ipfs { + if [[ $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" ]]; then + return + fi + if grep -Fxq "configure_firewall_for_ipfs" $COMPLETION_FILE; then + return + fi + if [[ $ONION_ONLY != "no" ]]; then + return + fi + iptables -A INPUT -p tcp --dport $IPFS_PORT -j ACCEPT + function_check save_firewall_settings + save_firewall_settings + + OPEN_PORTS+=("IPFS $IPFS_PORT") + echo 'configure_firewall_for_ipfs' >> $COMPLETION_FILE +} + +function configure_firewall_for_avahi { + if grep -Fxq "configure_firewall_for_avahi" $COMPLETION_FILE; then + return + fi + iptables -A INPUT -p tcp --dport 548 -j ACCEPT + iptables -A INPUT -p udp --dport 548 -j ACCEPT + iptables -A INPUT -p tcp --dport 5353 -j ACCEPT + iptables -A INPUT -p udp --dport 5353 -j ACCEPT + iptables -A INPUT -p tcp --dport 5354 -j ACCEPT + iptables -A INPUT -p udp --dport 5354 -j ACCEPT + function_check save_firewall_settings + save_firewall_settings + echo 'configure_firewall_for_avahi' >> $COMPLETION_FILE +} + +function configure_firewall_for_cjdns { + if grep -Fxq "configure_firewall_for_cjdns" $COMPLETION_FILE; then + return + fi + if [[ $ENABLE_CJDNS != "yes" ]]; then + return + fi + ip6tables -t nat -A POSTROUTING -o tun0 -j MASQUERADE + ip6tables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT + function_check save_firewall_settings + save_firewall_settings + echo 'configure_firewall_for_cjdns' >> $COMPLETION_FILE +} + +function configure_firewall_for_batman { + if grep -Fxq "configure_firewall_for_batman" $COMPLETION_FILE; then + return + fi + if [[ $ENABLE_BATMAN != "yes" ]]; then + return + fi + + function_check save_firewall_settings + save_firewall_settings + echo 'configure_firewall_for_batman' >> $COMPLETION_FILE +} + +function configure_firewall_for_babel { + if grep -Fxq "configure_firewall_for_babel" $COMPLETION_FILE; then + return + fi + if [[ $ENABLE_BABEL != "yes" ]]; then + return + fi + iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $BABEL_PORT -j ACCEPT + function_check save_firewall_settings + save_firewall_settings + + OPEN_PORTS+=("Babel $BABEL_PORT") + echo 'configure_firewall_for_babel' >> $COMPLETION_FILE +} + +function configure_firewall_for_zeronet { + if grep -Fxq "configure_firewall_for_zeronet" $COMPLETION_FILE; then + return + fi + if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then + return + fi + iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $ZERONET_PORT -j ACCEPT + iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $ZERONET_PORT -j ACCEPT + iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $TRACKER_PORT -j ACCEPT + iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $TRACKER_PORT -j ACCEPT + iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport 1900 -j ACCEPT + function_check save_firewall_settings + save_firewall_settings + + OPEN_PORTS+=("ZeroNet $ZERONET_PORT") + OPEN_PORTS+=("Tracker $TRACKER_PORT") + echo 'configure_firewall_for_zeronet' >> $COMPLETION_FILE +} + +function configure_firewall_for_dlna { + if grep -Fxq "configure_firewall_for_dlna" $COMPLETION_FILE; then + return + fi + if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then + # docker does its own firewalling + return + fi + if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" ]]; then + return + fi + iptables -A INPUT -p udp --dport 1900 -j ACCEPT + iptables -A INPUT -p tcp --dport 8200 -j ACCEPT + function_check save_firewall_settings + save_firewall_settings + + OPEN_PORTS+=('DLNA 1900') + OPEN_PORTS+=('DLNA 8200') + echo 'configure_firewall_for_dlna' >> $COMPLETION_FILE +} + +function configure_firewall_for_dns { + if grep -Fxq "configure_firewall_for_dns" $COMPLETION_FILE; then + return + fi + if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then + # docker does its own firewalling + return + fi + iptables -A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT + function_check save_firewall_settings + save_firewall_settings + echo 'configure_firewall_for_dns' >> $COMPLETION_FILE +} + +function configure_firewall_for_xmpp { + if [ ! -d /etc/prosody ]; then + return + fi + if grep -Fxq "configure_firewall_for_xmpp" $COMPLETION_FILE; then + return + fi + if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then + # docker does its own firewalling + return + fi + if [[ $ONION_ONLY != "no" ]]; then + return + fi + iptables -A INPUT -p tcp --dport 5222:5223 -j ACCEPT + iptables -A INPUT -p tcp --dport 5269 -j ACCEPT + iptables -A INPUT -p tcp --dport 5280:5281 -j ACCEPT + function_check save_firewall_settings + save_firewall_settings + + OPEN_PORTS+=('XMPP 5222-5223') + OPEN_PORTS+=('XMPP 5269') + OPEN_PORTS+=('XMPP 5280-5281') + echo 'configure_firewall_for_xmpp' >> $COMPLETION_FILE +} + +function configure_firewall_for_irc { + if [ ! -d /etc/ngircd ]; then + return + fi + if grep -Fxq "configure_firewall_for_irc" $COMPLETION_FILE; then + return + fi + if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then + # docker does its own firewalling + return + fi + if [[ $ONION_ONLY != "no" ]]; then + return + fi + iptables -A INPUT -p tcp --dport $IRC_PORT -j ACCEPT + iptables -I INPUT -p tcp --dport 1024:65535 --sport $IRC_PORT -j ACCEPT + function_check save_firewall_settings + save_firewall_settings + + OPEN_PORTS+=("IRC $IRC_PORT") + echo 'configure_firewall_for_irc' >> $COMPLETION_FILE +} + +function configure_firewall_for_web_access { + if grep -Fxq "configure_firewall_for_web_access" $COMPLETION_FILE; then + return + fi + if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then + # docker does its own firewalling + return + fi + if [[ $ONION_ONLY != "no" ]]; then + return + fi + iptables -A INPUT -p tcp --dport 32768:61000 --sport 80 -j ACCEPT + iptables -A INPUT -p tcp --dport 32768:61000 --sport 443 -j ACCEPT + function_check save_firewall_settings + save_firewall_settings + + echo 'configure_firewall_for_web_access' >> $COMPLETION_FILE +} + +function configure_firewall_for_web_server { + if grep -Fxq "configure_firewall_for_web_server" $COMPLETION_FILE; then + return + fi + if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then + # docker does its own firewalling + return + fi + if [[ $ONION_ONLY != "no" ]]; then + return + fi + iptables -A INPUT -p tcp --dport 80 -j ACCEPT + iptables -A INPUT -p tcp --dport 443 -j ACCEPT + function_check save_firewall_settings + save_firewall_settings + + OPEN_PORTS+=('HTTP 80') + OPEN_PORTS+=('HTTPS 443') + echo 'configure_firewall_for_web_server' >> $COMPLETION_FILE +} + +function configure_firewall_for_tox { + if grep -Fxq "configure_firewall_for_tox" $COMPLETION_FILE; then + return + fi + if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then + # docker does its own firewalling + return + fi + if [[ $ONION_ONLY != "no" ]]; then + return + fi + iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT + function_check save_firewall_settings + save_firewall_settings + + OPEN_PORTS+=("Tox $TOX_PORT") + echo 'configure_firewall_for_tox' >> $COMPLETION_FILE +} + +function configure_firewall_for_ssh { + if grep -Fxq "configure_firewall_for_ssh" $COMPLETION_FILE; then + return + fi + if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then + # docker does its own firewalling + return + fi + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A INPUT -p tcp --dport $SSH_PORT -j ACCEPT + function_check save_firewall_settings + save_firewall_settings + + OPEN_PORTS+=("SSH $SSH_PORT") + echo 'configure_firewall_for_ssh' >> $COMPLETION_FILE +} + +function configure_firewall_for_git { + if grep -Fxq "configure_firewall_for_git" $COMPLETION_FILE; then + return + fi + if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then + # docker does its own firewalling + return + fi + if [[ $ONION_ONLY != "no" ]]; then + return + fi + iptables -A INPUT -p tcp --dport 9418 -j ACCEPT + function_check save_firewall_settings + save_firewall_settings + + OPEN_PORTS+=("Git 9418") + echo 'configure_firewall_for_git' >> $COMPLETION_FILE +} + +function configure_firewall_for_email { + if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" ]]; then + return + fi + if grep -Fxq "configure_firewall_for_email" $COMPLETION_FILE; then + return + fi + if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then + # docker does its own firewalling + return + fi + if [[ $ONION_ONLY != "no" ]]; then + return + fi + iptables -A INPUT -p tcp --dport 25 -j ACCEPT + iptables -A INPUT -p tcp --dport 587 -j ACCEPT + iptables -A INPUT -p tcp --dport 465 -j ACCEPT + iptables -A INPUT -p tcp --dport 993 -j ACCEPT + function_check save_firewall_settings + save_firewall_settings + + OPEN_PORTS+=('Email 25') + OPEN_PORTS+=('Email 587') + OPEN_PORTS+=('Email 465') + OPEN_PORTS+=('Email 993') + echo 'configure_firewall_for_email' >> $COMPLETION_FILE +} + +function configure_internet_protocol { + if grep -Fxq "configure_internet_protocol" $COMPLETION_FILE; then + return + fi + if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + sed -i "s/#net.ipv4.tcp_syncookies=1/net.ipv4.tcp_syncookies=1/g" /etc/sysctl.conf + sed -i "s/#net.ipv4.conf.all.accept_redirects = 0/net.ipv4.conf.all.accept_redirects = 0/g" /etc/sysctl.conf + sed -i "s/#net.ipv6.conf.all.accept_redirects = 0/net.ipv6.conf.all.accept_redirects = 0/g" /etc/sysctl.conf + sed -i "s/#net.ipv4.conf.all.send_redirects = 0/net.ipv4.conf.all.send_redirects = 0/g" /etc/sysctl.conf + sed -i "s/#net.ipv4.conf.all.accept_source_route = 0/net.ipv4.conf.all.accept_source_route = 0/g" /etc/sysctl.conf + sed -i "s/#net.ipv6.conf.all.accept_source_route = 0/net.ipv6.conf.all.accept_source_route = 0/g" /etc/sysctl.conf + sed -i "s/#net.ipv4.conf.default.rp_filter=1/net.ipv4.conf.default.rp_filter=1/g" /etc/sysctl.conf + sed -i "s/#net.ipv4.conf.all.rp_filter=1/net.ipv4.conf.all.rp_filter=1/g" /etc/sysctl.conf + sed -i "s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=0/g" /etc/sysctl.conf + sed -i "s/#net.ipv6.conf.all.forwarding=1/net.ipv6.conf.all.forwarding=0/g" /etc/sysctl.conf + if ! grep -q "ignore pings" /etc/sysctl.conf; then + echo '# ignore pings' >> /etc/sysctl.conf + echo 'net.ipv4.icmp_echo_ignore_all = 1' >> /etc/sysctl.conf + echo 'net.ipv6.icmp_echo_ignore_all = 1' >> /etc/sysctl.conf + fi + if ! grep -q "disable ipv6" /etc/sysctl.conf; then + echo '# disable ipv6' >> /etc/sysctl.conf + echo 'net.ipv6.conf.all.disable_ipv6 = 1' >> /etc/sysctl.conf + fi + if ! grep -q "net.ipv4.tcp_synack_retries" /etc/sysctl.conf; then + echo 'net.ipv4.tcp_synack_retries = 2' >> /etc/sysctl.conf + echo 'net.ipv4.tcp_syn_retries = 1' >> /etc/sysctl.conf + fi + if ! grep -q "keepalive" /etc/sysctl.conf; then + echo '# keepalive' >> /etc/sysctl.conf + echo 'net.ipv4.tcp_keepalive_probes = 9' >> /etc/sysctl.conf + echo 'net.ipv4.tcp_keepalive_intvl = 75' >> /etc/sysctl.conf + echo 'net.ipv4.tcp_keepalive_time = 7200' >> /etc/sysctl.conf + fi + echo 'configure_internet_protocol' >> $COMPLETION_FILE +} diff --git a/src/freedombone-utils-git b/src/freedombone-utils-git index ee138a6a..d88a0aa0 100755 --- a/src/freedombone-utils-git +++ b/src/freedombone-utils-git @@ -88,24 +88,6 @@ function git_pull { fi } -# This might be replaced in future with a separate rss reader script -function rss_reader_modifications { - # modify the rss reader to use a socks5 proxy rather than a http proxy - if [ ! -d $RSS_READER_PATH ]; then - return - fi - - # ensure that socks5 proxy is used - if ! grep -q "CURLOPT_PROXYTYPE" $RSS_READER_PATH/plugins/af_unburn/init.php; then - sed -i '/curl_setopt($ch, CURLOPT_PROXY, _CURL_HTTP_PROXY);/a \\t\t\t\t\tcurl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);' $RSS_READER_PATH/plugins/af_unburn/init.php - fi - if ! grep -q "CURLOPT_PROXYTYPE" $RSS_READER_PATH/include/functions.php; then - sed -i '/curl_setopt($ch, CURLOPT_PROXY, _CURL_HTTP_PROXY);/a \\t\t\t\tcurl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);' $RSS_READER_PATH/include/functions.php - fi - chown -R www-data:www-data $RSS_READER_PATH - chmod a+x $RSS_READER_PATH -} - # This ensures that a given repo is on a given commit # If it isn't then it attempts to upgrade function set_repo_commit { @@ -180,6 +162,7 @@ function set_repo_commit { make install fi if [[ $repo_dir == $RSS_READER_PATH ]]; then + function_check rss_reader_modifications rss_reader_modifications fi if [[ $repo_dir == *"inadyn" ]]; then diff --git a/src/freedombone-utils-go b/src/freedombone-utils-go new file mode 100755 index 00000000..264da4c9 --- /dev/null +++ b/src/freedombone-utils-go @@ -0,0 +1,148 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# Go functions +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +GO_VERSION=1.5 + +GO_PACKAGE_MANAGER_REPO="https://github.com/gpmgo/gopm" +GVM_HOME=/home/git/gvm +GVM_REPO="https://github.com/moovweb/gvm" +GVM_COMMIT='25ea8ae158e2861c92e2b22c458e60840157832f' + +function select_go_version { + if [ ! -d $GVM_HOME/bin ]; then + echo $'GVM was not installed' + exit 629532 + fi + export GVM_ROOT=$GVM_HOME + if ! grep -q "GVM_ROOT=" ~/.bashrc; then + echo "export GVM_ROOT=$GVM_ROOT" >> ~/.bashrc + else + sed -i "s|export GVM_ROOT=.*|export GVM_ROOT=$GVM_ROOT|g" ~/.bashrc + fi + cd $GVM_ROOT/bin + [[ -s "$GVM_ROOT/scripts/gvm" ]] && source "$GVM_ROOT/scripts/gvm" + gvm use go${GO_VERSION} --default + systemctl set-environment GOPATH=$GOPATH + + if [ ${#GOPATH} -lt 2 ]; then + echo $'GOPATH was not set' + exit 629825 + fi +} + +function upgrade_golang { + if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + + # NOTE: this is annoyingly hacky and going in the opposite + # direction of a pure blend, but it's necessary if you want + # to run the latest version of gogs + + # update to the next commit + function_check set_repo_commit + set_repo_commit $INSTALL_DIR/gvm "gvm commit" "$GVM_COMMIT" $GVM_REPO + + if grep -Fxq "upgrade_golang" $COMPLETION_FILE; then + return + fi + + export GVM_ROOT=$GVM_HOME + + apt-get -y install curl git mercurial make binutils bison gcc build-essential + if [ ! -d $INSTALL_DIR ]; then + mkdir $INSTALL_DIR + fi + cd $INSTALL_DIR + function_check git_clone + git_clone $GVM_REPO gvm + cd $INSTALL_DIR/gvm + git checkout $GVM_COMMIT -b $GVM_COMMIT + if [ ! -f binscripts/gvm-installer ]; then + echo $'gvm installer not found' + fi + chmod +x binscripts/gvm-installer + + if [ -d /root/.gvm ]; then + rm -rf /root/.gvm + fi + if [ -d $GVM_ROOT ]; then + rm -rf $GVM_ROOT + fi + sed -i "s|export GVM_ROOT=.*|export GVM_ROOT=$GVM_ROOT|g" ~/.bashrc + + if [ ! -d /home/git ]; then + # add a gogs user account within which the gvm home directory will exist + adduser --disabled-login --gecos 'Gogs' git + fi + if [ -d /home/git/Maildir ]; then + rm -rf /home/git/Maildir + fi + + # TODO: this script is all over the place + # and contains hardcoded github. See if you can do better + ./binscripts/gvm-installer master /home/git + + if [ ! -d $GVM_ROOT ]; then + echo $'Unable to install gvm' + exit 83537 + fi + + [[ -s "$GVM_ROOT/scripts/gvm" ]] && source "$GVM_ROOT/scripts/gvm" + if [ ! -f $GVM_ROOT/bin/gvm ]; then + echo $'gvm was not installed' + fi + if ! grep -q "export GVM_ROOT=" ~/.bashrc; then + echo "export GVM_ROOT=$GVM_ROOT" >> ~/.bashrc + fi + + cd $GVM_ROOT/bin + gvm install go1.4 + gvm use go1.4 + export GOROOT_BOOTSTRAP=$GOROOT + gvm install go${GO_VERSION} + if [ ! "$?" = "0" ]; then + echo $'Unable to upgrade golang' + exit 529252 + fi + gvm use go${GO_VERSION} --default + + chown -R git:git $GVM_HOME + + if ! grep -q "gvm commit" $COMPLETION_FILE; then + echo "gvm commit:$GVM_COMMIT" >> $COMPLETION_FILE + else + sed -i "s/gvm commit.*/gvm commit:$GVM_COMMIT/g" $COMPLETION_FILE + fi + + echo 'upgrade_golang' >> $COMPLETION_FILE +} + +# NOTE: deliberately there is no "exit 0" diff --git a/src/freedombone-utils-help b/src/freedombone-utils-help new file mode 100755 index 00000000..265c352a --- /dev/null +++ b/src/freedombone-utils-help @@ -0,0 +1,81 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# Show help +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +function show_help { + echo '' + echo $"${PROJECT_NAME} -c [configuration file]" + echo '' + echo $' -h --help Show help' + echo $' menuconfig Easy interactive installation' + echo $' menuconfig-full Full interactive installation' + echo $' menuconfig-onion Interactive installation for onion-only sites' + echo $' -c --config Installing from a configuration file' + echo $' --bbb Installing on Beaglebone Black' + echo $' -u --user User to install the system as' + echo $' -d --domain Default domain name' + echo $' -s --system System type' + echo $' --ip Static LAN IP address of the system' + echo $' --iprouter LAN IP address of the internet router' + echo $' --ddns Dynamic DNS provider domain' + echo $' --ddnsuser Dynamic DNS provider username' + echo $' --ddnspass Dynamic DNS provider password' + echo '' + echo $' --microblogdomain Microblog domain name' + echo $' --wikidomain Wiki domain name' + echo $' --blogdomain Blog domain name' + echo $' --hubzilladomain Hubzilla domain name' + echo $' --gitdomain Git hosting domain name' + echo $' -t --time Domain used as a TLS time source' + echo $' --ssh ssh port number' + echo $' --list Public mailing list name' + echo $' --cores Number of CPU cores' + echo $' --name Your name' + echo $' --email Your email address' + echo $' --usb Path for the USB drive (eg. /dev/sdb1)' + echo $' --cjdns Enable CJDNS' + echo $' --vpass VoIP server password' + echo $' --vport VoIP server port' + echo $' --ns1 First DNS nameserver' + echo $' --ns2 Second DNS nameserver' + echo $' --repo Debian repository' + echo '' + echo $'system types' + echo '------------' + echo $'This can either be blank if you wish to install the full system,' + echo $"or for more specialised variants you can specify '$VARIANT_MAILBOX', '$VARIANT_CLOUD'," + echo $"'$VARIANT_CHAT', '$VARIANT_SOCIAL', '$VARIANT_MEDIA', '$VARIANT_WRITER', '$VARIANT_DEVELOPER'" + echo $"or '$VARIANT_MESH'." + echo '' + echo $"If you wish to install everything except email then use the '$VARIANT_NONMAILBOX' variaint." + echo '' + exit 0 +} + +# NOTE: deliberately no exit 0 diff --git a/src/freedombone-utils-interactive b/src/freedombone-utils-interactive new file mode 100755 index 00000000..fed2ff36 --- /dev/null +++ b/src/freedombone-utils-interactive @@ -0,0 +1,109 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# Interactive install functions +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +function interactive_configuration_remote_backups { + if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + if [ ! -f /usr/local/bin/${PROJECT_NAME}-remote ]; then + if [ ! -f /usr/bin/${PROJECT_NAME}-remote ]; then + echo $"The command ${PROJECT_NAME}-remote was not found" + exit 87354 + fi + fi + ${PROJECT_NAME}-remote -u $MY_USERNAME -l $FRIENDS_SERVERS_LIST -m $MINIMUM_PASSWORD_LENGTH -r yes + if [ ! "$?" = "0" ]; then + echo $'Command failed:' + echo '' + echo $" ${PROJECT_NAME}-remote -u $MY_USERNAME -l $FRIENDS_SERVERS_LIST -m $MINIMUM_PASSWORD_LENGTH -r yes" + echo '' + exit 65892 + fi +} + +function interactive_configuration { + if [ ! -f /usr/local/bin/${PROJECT_NAME}-config ]; then + if [ ! -f /usr/bin/${PROJECT_NAME}-config ]; then + echo $"The command ${PROJECT_NAME}-config was not found" + exit 63935 + fi + fi + if [ -f /tmp/meshuserdevice ]; then + rm -f /tmp/meshuserdevice + fi + + if [[ $ONION_ONLY == "no" ]]; then + if [[ $MINIMAL_INSTALL == "no" ]]; then + ${PROJECT_NAME}-config \ + -f $CONFIGURATION_FILE \ + -w $PROJECT_WEBSITE \ + -m $MINIMUM_PASSWORD_LENGTH + else + ${PROJECT_NAME}-config \ + -f $CONFIGURATION_FILE \ + -w $PROJECT_WEBSITE \ + -m $MINIMUM_PASSWORD_LENGTH \ + --minimal "yes" + fi + else + ${PROJECT_NAME}-config \ + -f $CONFIGURATION_FILE \ + -w $PROJECT_WEBSITE \ + -m $MINIMUM_PASSWORD_LENGTH \ + --onion "yes" + fi + if [ -f /tmp/meshuserdevice ]; then + # mesh network user device installation + rm -f /tmp/meshuserdevice + exit 0 + fi + if [ ! "$?" = "0" ]; then + echo $'Command failed:' + echo '' + echo $" ${PROJECT_NAME}-config -u $MY_USERNAME -f $CONFIGURATION_FILE -w $PROJECT_WEBSITE -b $PROJECT_BITMESSAGE -m $MINIMUM_PASSWORD_LENGTH --minimal [yes|no]" + echo '' + exit 73594 + fi + + if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + FRIENDS_SERVERS_LIST=/home/$MY_USERNAME/backup.list + + dialog --title $"Encrypted backup to other servers" \ + --backtitle $"${PROJECT_NAME} Configuration" \ + --defaultno \ + --yesno $"\nDo you wish to configure some remote backup locations?" 7 60 + sel=$? + case $sel in + 0) interactive_configuration_remote_backups;; + esac + fi +} + +# NOTE: deliberately no exit 0 diff --git a/src/freedombone-utils-international b/src/freedombone-utils-international new file mode 100755 index 00000000..e3458bcc --- /dev/null +++ b/src/freedombone-utils-international @@ -0,0 +1,54 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# International/language functions +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +function locale_setup { + if grep -Fxq "locale_setup" $COMPLETION_FILE; then + return + fi + + apt-get -y install locales locales-all debconf + + if [ ! "$DEFAULT_LANGUAGE" ]; then + DEFAULT_LANGUAGE='en_GB.UTF-8' + fi + if [ ${#DEFAULT_LANGUAGE} -lt 2 ]; then + DEFAULT_LANGUAGE='en_GB.UTF-8' + fi + + update-locale LANG=${DEFAULT_LANGUAGE} + update-locale LANGUAGE=${DEFAULT_LANGUAGE} + update-locale LC_MESSAGES=${DEFAULT_LANGUAGE} + update-locale LC_ALL=${DEFAULT_LANGUAGE} + update-locale LC_CTYPE=${DEFAULT_LANGUAGE} + + echo 'locale_setup' >> $COMPLETION_FILE +} + +# NOTE: deliberately no exit 0 diff --git a/src/freedombone-utils-login b/src/freedombone-utils-login new file mode 100755 index 00000000..0c454061 --- /dev/null +++ b/src/freedombone-utils-login @@ -0,0 +1,86 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# login functions +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +function change_login_message { + if grep -Fxq "change_login_message" $COMPLETION_FILE; then + return + fi + + # remove automatic motd creator if it exists + if [ -f /etc/init.d/motd ]; then + rm -f /etc/init.d/motd + fi + + echo '' > /etc/motd + echo ".---. . . " >> /etc/motd + echo "| | | " >> /etc/motd + echo "|--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. " >> /etc/motd + echo "| | (.-' (.-' ( | ( )| | | | )( )| | (.-' " >> /etc/motd + echo "' ' --' --' -' - -' ' ' -' -' -' ' - --'" >> /etc/motd + + if [[ $SYSTEM_TYPE == "$VARIANT_MAILBOX" ]]; then + echo $' M A I L B O X E D I T I O N' >> /etc/motd + fi + + if [[ $SYSTEM_TYPE == "$VARIANT_SOCIAL" ]]; then + echo $' S O C I A L E D I T I O N' >> /etc/motd + fi + + if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" ]]; then + echo $' C H A T E D I T I O N' >> /etc/motd + fi + + if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" ]]; then + echo $' C L O U D E D I T I O N' >> /etc/motd + fi + + if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" ]]; then + echo $' W R I T E R E D I T I O N ' >> /etc/motd + fi + + if [[ $SYSTEM_TYPE == "$VARIANT_MEDIA" ]]; then + echo $' M E D I A E D I T I O N' >> /etc/motd + fi + + if [[ $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then + echo $' D E V E L O P E R E D I T I O N' >> /etc/motd + fi + + echo '' >> /etc/motd + if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then + echo $' Freedom in the Cloud' >> /etc/motd + else + echo $' Freedom in the Mesh' >> /etc/motd + fi + echo '' >> /etc/motd + echo 'change_login_message' >> $COMPLETION_FILE +} + +# NOTE: deliberately no exit 0 diff --git a/src/freedombone-utils-monkeysphere b/src/freedombone-utils-monkeysphere new file mode 100755 index 00000000..3107e868 --- /dev/null +++ b/src/freedombone-utils-monkeysphere @@ -0,0 +1,66 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# monkeysphere functions +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +function install_monkeysphere { + if grep -Fxq "install_monkeysphere" $COMPLETION_FILE; then + return + fi + apt-get -y install monkeysphere msva-perl + #su -c "monkeysphere gen-subkey $MY_GPG_PUBLIC_KEY_ID" - $MY_USERNAME + mkdir /home/$MY_USERNAME/.monkeysphere + chmod 755 /home/$MY_USERNAME/.monkeysphere + echo "$MY_NAME <${MY_EMAIL_ADDRESS}>" > /home/$MY_USERNAME/.monkeysphere/authorized_user_ids + chmod 644 /home/$MY_USERNAME/.monkeysphere/authorized_user_ids + chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.monkeysphere + monkeysphere-authentication update-users + + if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then + echo $'monkeysphere import: ssh host key not found' + exit 76295 + fi + monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$DEFAULT_DOMAIN_NAME + SSH_ONION_HOSTNAME=$(cat ${COMPLETION_FILE} | grep 'ssh onion domain' | awk -F ':' '{print $2}') + monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$SSH_ONION_HOSTNAME + + if [ ! $MY_GPG_PUBLIC_KEY_ID ]; then + MY_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$MY_USERNAME" "$MY_USERNAME@$HOSTNAME") + if [ ${#MY_GPG_PUBLIC_KEY_ID} -lt 4 ]; then + echo $'monkeysphere unable to get GPG key ID for user $MY_USERNAME' + exit 52825 + fi + fi + # The admin user is the identity certifier + fpr=$(gpg --with-colons --fingerprint $MY_GPG_PUBLIC_KEY_ID | grep fpr | head -n 1 | awk -F ':' '{print $10}') + monkeysphere-authentication add-identity-certifier $fpr + + echo 'install_monkeysphere' >> $COMPLETION_FILE +} + +# NOTE: deliberately no exit 0 diff --git a/src/freedombone-utils-network b/src/freedombone-utils-network new file mode 100755 index 00000000..ae311ce1 --- /dev/null +++ b/src/freedombone-utils-network @@ -0,0 +1,90 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# Network functions +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# If the system is on an IPv6 network +IPV6_NETWORK='2001:470:26:307' + +# The static IP address of the system within the local network +# By default the IP address is dynamic within your LAN +LOCAL_NETWORK_STATIC_IP_ADDRESS= + +# IP address of the router (gateway) +ROUTER_IP_ADDRESS="192.168.1.254" + +MESH_INSTALL_DIR=/var/lib + +function install_static_network { + if grep -Fxq "install_static_network" $COMPLETION_FILE; then + return + fi + if [[ $INSTALLING_ON_BBB == "yes" ]]; then + return + fi + if [ ! $LOCAL_NETWORK_STATIC_IP_ADDRESS ]; then + return + fi + + echo '# The loopback network interface' > /etc/network/interfaces + echo 'auto lo' >> /etc/network/interfaces + echo 'iface lo inet loopback' >> /etc/network/interfaces + echo '' >> /etc/network/interfaces + echo '# The primary network interface' >> /etc/network/interfaces + echo 'auto eth0' >> /etc/network/interfaces + echo 'iface eth0 inet static' >> /etc/network/interfaces + echo " address $LOCAL_NETWORK_STATIC_IP_ADDRESS" >> /etc/network/interfaces + echo ' netmask 255.255.255.0' >> /etc/network/interfaces + echo " gateway $ROUTER_IP_ADDRESS" >> /etc/network/interfaces + echo " dns-nameservers $NAMESERVER1 $NAMESERVER2" >> /etc/network/interfaces + echo '# Example to keep MAC address between reboots' >> /etc/network/interfaces + echo '#hwaddress ether DE:AD:BE:EF:CA:FE' >> /etc/network/interfaces + echo '' >> /etc/network/interfaces + echo '# The secondary network interface' >> /etc/network/interfaces + echo '#auto eth1' >> /etc/network/interfaces + echo '#iface eth1 inet dhcp' >> /etc/network/interfaces + echo '' >> /etc/network/interfaces + echo '# WiFi Example' >> /etc/network/interfaces + echo "#auto $WIFI_INTERFACE" >> /etc/network/interfaces + echo "#iface $WIFI_INTERFACE inet dhcp" >> /etc/network/interfaces + echo '# wpa-ssid "essid"' >> /etc/network/interfaces + echo '# wpa-psk "password"' >> /etc/network/interfaces + echo '' >> /etc/network/interfaces + echo '# Ethernet/RNDIS gadget (g_ether)' >> /etc/network/interfaces + echo '# ... or on host side, usbnet and random hwaddr' >> /etc/network/interfaces + echo '# Note on some boards, usb0 is automaticly setup with an init script' >> /etc/network/interfaces + echo '#iface usb0 inet static' >> /etc/network/interfaces + echo '# address 192.168.7.2' >> /etc/network/interfaces + echo '# netmask 255.255.255.0' >> /etc/network/interfaces + echo '# network 192.168.7.0' >> /etc/network/interfaces + echo '# gateway 192.168.7.1' >> /etc/network/interfaces + + echo 'install_static_network' >> $COMPLETION_FILE +} + +# NOTE: deliberately no exit 0 diff --git a/src/freedombone-utils-onion b/src/freedombone-utils-onion new file mode 100755 index 00000000..cb8850b3 --- /dev/null +++ b/src/freedombone-utils-onion @@ -0,0 +1,349 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# Onion functions +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +function wait_for_onion_service { + onion_service_name="$1" + + sleep_ctr=0 + while [ ! -f /var/lib/tor/hidden_service_${onion_service_name}/hostname ]; do + sleep 1 + sleep_ctr=$((sleep_ctr + 1)) + if [ $sleep_ctr -gt 10 ]; then + break + fi + done + + if [ ! -f /var/lib/tor/hidden_service_${onion_service_name}/hostname ]; then + # restart and try a second time + systemctl restart tor + sleep_ctr=0 + while [ ! -f /var/lib/tor/hidden_service_${onion_service_name}/hostname ]; do + sleep 1 + sleep_ctr=$((sleep_ctr + 1)) + if [ $sleep_ctr -gt 10 ]; then + break + fi + done + fi +} + +function add_onion_service { + onion_service_name="$1" + onion_service_port_from=$2 + onion_service_port_to=$3 + + if [ -f /var/lib/tor/hidden_service_${onion_service_name}/hostname ]; then + echo $(cat /var/lib/tor/hidden_service_${onion_service_name}/hostname) + return + fi + + if [ ! -d /var/lib/tor ]; then + echo $"No Tor installation found. ${onion_service_name} onion site cannot be configured." + exit 877367 + fi + if ! grep -q "hidden_service_${onion_service_name}" /etc/tor/torrc; then + echo "HiddenServiceDir /var/lib/tor/hidden_service_${onion_service_name}/" >> /etc/tor/torrc + echo "HiddenServicePort ${onion_service_port_from} 127.0.0.1:${onion_service_port_to}" >> /etc/tor/torrc + fi + + systemctl restart tor + + function_check wait_for_onion_service + wait_for_onion_service ${onion_service_name} + + if [ ! -f /var/lib/tor/hidden_service_${onion_service_name}/hostname ]; then + echo $"${onion_service_name} onion site hostname not found" + exit 76362 + fi + echo $(cat /var/lib/tor/hidden_service_${onion_service_name}/hostname) +} + +function set_default_onion_domains { + # If sites are only visible via Tor then for installation + # purposes assign them some default domain names + if [[ $ONION_ONLY == "no" ]]; then + return + fi + + if [ ${#MICROBLOG_DOMAIN_NAME} -gt 1 ]; then + MICROBLOG_DOMAIN_NAME='microblog.local' + fi + if [ ${#FULLBLOG_DOMAIN_NAME} -gt 1 ]; then + FULLBLOG_DOMAIN_NAME='blog.local' + fi + if [ ${#WIKI_DOMAIN_NAME} -gt 1 ]; then + WIKI_DOMAIN_NAME='wiki.local' + fi + if [ ${#DEFAULT_DOMAIN_NAME} -gt 1 ]; then + DEFAULT_DOMAIN_NAME="${PROJECT_NAME}.local" + fi + if [ ${#GIT_DOMAIN_NAME} -gt 1 ]; then + GIT_DOMAIN_NAME='git.local' + fi + if [ ${#MEDIAGOBLIN_DOMAIN_NAME} -gt 1 ]; then + MEDIAGOBLIN_DOMAIN_NAME='media.local' + fi +} + +function create_avahi_onion_domains { + if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + if [ ! -d /etc/avahi/services ]; then + return + fi + if [ $MICROBLOG_DOMAIN_NAME ]; then + function_check create_avahi_service + create_avahi_service microblog http tcp $MICROBLOG_ONION_PORT + fi + if [ $FULLBLOG_DOMAIN_NAME ]; then + function_check create_avahi_service + create_avahi_service blog http tcp $BLOG_ONION_PORT + fi + if [ $GIT_DOMAIN_NAME ]; then + function_check create_avahi_service + create_avahi_service git http tcp $GIT_ONION_PORT + fi + if [ $WIKI_DOMAIN_NAME ]; then + function_check create_avahi_service + create_avahi_service wiki http tcp $WIKI_ONION_PORT + fi +} + +function allow_ssh_to_onion_address { + if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + if [ ! -d /home/$MY_USERNAME/.ssh ]; then + mkdir /home/$MY_USERNAME/.ssh + fi + if [ ! -d /etc/tor ]; then + echo $'Tor not found when updating ssh' + exit 528257 + fi + if ! grep -q "onion" /home/$MY_USERNAME/.ssh/config; then + echo 'Host *.onion' >> /home/$MY_USERNAME/.ssh/config + echo 'ProxyCommand connect -R remote -5 -S 127.0.0.1:9050 %h %p' >> /home/$MY_USERNAME/.ssh/config + fi +} + +function enable_ssh_via_onion { + if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + if grep -Fxq "enable_ssh_via_onion" $COMPLETION_FILE; then + return + fi + apt-get -y install tor connect-proxy + if ! grep -q 'Host *.onion' /home/$MY_USERNAME/.ssh/config; then + if [ ! -d /home/$MY_USERNAME/.ssh ]; then + mkdir /home/$MY_USERNAME/.ssh + fi + echo 'Host *.onion' >> /home/$MY_USERNAME/.ssh/config + echo 'ProxyCommand connect -R remote -5 -S 127.0.0.1:9050 %h %p' >> /home/$MY_USERNAME/.ssh/config + chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.ssh + chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.ssh/config + fi + if ! grep -q 'Host *.onion' /root/.ssh/config; then + if [ ! -d /root/.ssh ]; then + mkdir /root/.ssh + fi + echo 'Host *.onion' >> /root/.ssh/config + echo 'ProxyCommand connect -R remote -5 -S 127.0.0.1:9050 %h %p' >> /root/.ssh/config + fi + echo 'enable_ssh_via_onion' >> $COMPLETION_FILE +} + +function configure_ssh_onion { + if grep -Fxq "configure_ssh_onion" $COMPLETION_FILE; then + return + fi + if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + + SSH_ONION_HOSTNAME=$(add_onion_service ssh ${SSH_PORT} ${SSH_PORT}) + + if ! grep -q "ssh onion domain" $COMPLETION_FILE; then + echo "ssh onion domain:${SSH_ONION_HOSTNAME}" >> $COMPLETION_FILE + else + sed -i "s|ssh onion domain.*|ssh onion domain:${SSH_ONION_HOSTNAME}|g" $COMPLETION_FILE + fi + + echo 'configure_ssh_onion' >> $COMPLETION_FILE +} + +function install_tor { + if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + if grep -Fxq "install_tor" $COMPLETION_FILE; then + return + fi + apt-get -y install tor + if [ ! -f /etc/tor/torrc ]; then + echo 'Tor failed to install' + exit 38259 + fi + echo 'install_tor' >> $COMPLETION_FILE +} + +function resolve_dns_via_tor { + if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + if grep -Fxq "resolve_dns_via_tor" $COMPLETION_FILE; then + return + fi + if [ ! -f /etc/tor/torrc ]; then + echo $'tor was not installed' + exit 52952 + fi + + # resolve DNS via tor + if ! grep 'DNSPort 53' /etc/tor/torrc; then + echo 'DNSPort 53' >> /etc/tor/torrc + echo 'AutomapHostsOnResolve 1' >> /etc/tor/torrc + echo 'AutomapHostsSuffixes .exit,.onion' >> /etc/tor/torrc + systemctl restart tor + fi + + # don't change resolv.conf + sed -i 's|, domain-name-servers||g' /etc/dhcp/dhclient.conf + + # point resolv.conf to tor + echo 'nameserver 127.0.0.1:53' > /etc/resolv.conf + + # prevent resolv.conf from changing + chattr +i /etc/resolv.conf + + echo 'resolve_dns_via_tor' >> $COMPLETION_FILE +} + +# see https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy +# Local Redirection and Anonymizing Middlebox +function route_outgoing_traffic_through_tor { + if grep -Fxq "route_outgoing_traffic_through_tor" $COMPLETION_FILE; then + return + fi + if [[ $ROUTE_THROUGH_TOR != "yes" ]]; then + return + fi + apt-get -y install tor tor-arm + + ### set variables + # Destinations you don't want routed through Tor + _non_tor="192.168.1.0/24 192.168.0.0/24" + + # The user that Tor runs as + _tor_uid="debian-tor" + + # Tor's TransPort + _trans_port="9040" + + # Your internal interface + _int_if="eth0" + + ### Set iptables *nat + iptables -t nat -A OUTPUT -o lo -j RETURN + iptables -t nat -A OUTPUT -m owner --uid-owner $_tor_uid -j RETURN + iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53 + + # Allow clearnet access for hosts in $_non_tor + for _clearnet in $_non_tor; do + iptables -t nat -A OUTPUT -d $_clearnet -j RETURN + iptables -t nat -A PREROUTING -i $_int_if -d $_clearnet -j RETURN + done + + # Redirect all other pre-routing and output to Tor + iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $_trans_port + iptables -t nat -A PREROUTING -i $_int_if -p udp --dport 53 -j REDIRECT --to-ports 53 + iptables -t nat -A PREROUTING -i $_int_if -p tcp --syn -j REDIRECT --to-ports $_trans_port + + ### set iptables *filter + iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT + + # Allow clearnet access for hosts in $_non_tor + for _clearnet in $_non_tor 127.0.0.0/8; do + iptables -A OUTPUT -d $_clearnet -j ACCEPT + done + + # Allow only Tor output + iptables -A OUTPUT -m owner --uid-owner $_tor_uid -j ACCEPT + iptables -A OUTPUT -j REJECT + + function_check save_firewall_settings + save_firewall_settings + + if ! grep -q "fs.file-max" /etc/sysctl.conf; then + echo "fs.file-max=100000" >> /etc/sysctl.conf + /sbin/sysctl -p + fi + + echo 'domain localdomain' > /etc/resolv.conf + echo 'search localdomain' >> /etc/resolv.conf + echo 'nameserver 127.0.0.1' >> /etc/resolv.conf + + if ! grep -q "VirtualAddrNetworkIPv4" /etc/tor/torrc; then + echo 'VirtualAddrNetworkIPv4 10.192.0.0/10' >> /etc/tor/torrc + fi + + if ! grep -q "AutomapHostsOnResolve" /etc/tor/torrc; then + echo 'AutomapHostsOnResolve 1' >> /etc/tor/torrc + fi + + if ! grep -q "TransPort" /etc/tor/torrc; then + echo 'TransPort 9040' >> /etc/tor/torrc + fi + + if ! grep -q "TransListenAddress 127.0.0.1" /etc/tor/torrc; then + echo 'TransListenAddress 127.0.0.1' >> /etc/tor/torrc + fi + + if ! grep -q "TransListenAddress $LOCAL_NETWORK_STATIC_IP_ADDRESS" /etc/tor/torrc; then + echo "TransListenAddress $LOCAL_NETWORK_STATIC_IP_ADDRESS" >> /etc/tor/torrc + fi + + if ! grep -q "DNSPort" /etc/tor/torrc; then + echo 'DNSPort 53' >> /etc/tor/torrc + fi + + if ! grep -q "DNSListenAddress 127.0.0.1" /etc/tor/torrc; then + echo 'DNSListenAddress 127.0.0.1' >> /etc/tor/torrc + fi + + if ! grep -q "DNSListenAddress $LOCAL_NETWORK_STATIC_IP_ADDRESS" /etc/tor/torrc; then + echo "DNSListenAddress $LOCAL_NETWORK_STATIC_IP_ADDRESS" >> /etc/tor/torrc + fi + + echo 'route_outgoing_traffic_through_tor' >> $COMPLETION_FILE +} + +# NOTE: deliberately no exit 0 diff --git a/src/freedombone-utils-passwords b/src/freedombone-utils-passwords new file mode 100755 index 00000000..1b8620df --- /dev/null +++ b/src/freedombone-utils-passwords @@ -0,0 +1,54 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# Password functions +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# If this file exists it contains a global password used with +# disk image installs. This simplifies password management for +# deployment at scale +IMAGE_PASSWORD_FILE=/root/login.txt + +# Minimum number of characters in a password +MINIMUM_PASSWORD_LENGTH=10 + +function enforce_good_passwords { + # because humans are generally bad at choosing passwords + if grep -Fxq "enforce_good_passwords" $COMPLETION_FILE; then + return + fi + apt-get -y install libpam-cracklib + + sed -i 's/password.*requisite.*pam_cracklib.so.*/password required pam_cracklib.so retry=2 dcredit=-4 ucredit=-1 ocredit=-1 lcredit=0 minlen=10 reject_username/g' /etc/pam.d/common-password + echo 'enforce_good_passwords' >> $COMPLETION_FILE +} + +function create_password { + echo "$(openssl rand -base64 32 | cut -c1-${1})" +} + +# NOTE: deliberately no exit 0 diff --git a/src/freedombone-utils-repos b/src/freedombone-utils-repos new file mode 100755 index 00000000..40aa6e25 --- /dev/null +++ b/src/freedombone-utils-repos @@ -0,0 +1,149 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# Functions to set repositories +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# The Debian package repository to use. +DEBIAN_REPO="ftp.us.debian.org" + +# password used for accessing your repo mirrors +MY_MIRRORS_PASSWORD= +# friend's repo mirrors +FRIENDS_MIRRORS_PASSWORD= +FRIENDS_MIRRORS_SERVER= +FRIENDS_MIRRORS_SSH_PORT=2222 + +function create_repo_sources { + if grep -Fxq "create_repo_sources" $COMPLETION_FILE; then + return + fi + rm -rf /var/lib/apt/lists/* + apt-get clean + + echo "deb http://${DEBIAN_REPO}/debian/ ${DEBIAN_VERSION} main" > /etc/apt/sources.list + echo "deb-src http://${DEBIAN_REPO}/debian/ ${DEBIAN_VERSION} main" >> /etc/apt/sources.list + echo '' >> /etc/apt/sources.list + echo "deb http://security.debian.org/ ${DEBIAN_VERSION}/updates main" >> /etc/apt/sources.list + echo "deb-src http://security.debian.org/ ${DEBIAN_VERSION}/updates main" >> /etc/apt/sources.list + echo '' >> /etc/apt/sources.list + echo "deb http://${DEBIAN_REPO}/debian/ ${DEBIAN_VERSION}-updates main" >> /etc/apt/sources.list + echo "deb-src http://${DEBIAN_REPO}/debian/ ${DEBIAN_VERSION}-updates main" >> /etc/apt/sources.list + echo '' >> /etc/apt/sources.list + echo "deb http://${DEBIAN_REPO}/debian/ ${DEBIAN_VERSION}-backports main" >> /etc/apt/sources.list + echo "deb-src http://${DEBIAN_REPO}/debian/ ${DEBIAN_VERSION}-backports main" >> /etc/apt/sources.list + + apt-get update + apt-get -y install apt-transport-https + + echo 'create_repo_sources' >> $COMPLETION_FILE +} + +function read_repo_servers { + if [ -f $CONFIGURATION_FILE ]; then + if grep -q "FRIENDS_MIRRORS_SERVER" $CONFIGURATION_FILE; then + FRIENDS_MIRRORS_SERVER=$(grep "FRIENDS_MIRRORS_SERVER" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "FRIENDS_MIRRORS_SSH_PORT" $CONFIGURATION_FILE; then + FRIENDS_MIRRORS_SSH_PORT=$(grep "FRIENDS_MIRRORS_SSH_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "MY_MIRRORS_PASSWORD" $CONFIGURATION_FILE; then + MY_MIRRORS_PASSWORD=$(grep "MY_MIRRORS_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "FRIENDS_MIRRORS_PASSWORD" $CONFIGURATION_FILE; then + FRIENDS_MIRRORS_PASSWORD=$(grep "FRIENDS_MIRRORS_PASSWORD" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + fi + + if [ ! $FRIENDS_MIRRORS_SERVER ]; then + return + fi + if [ ${#FRIENDS_MIRRORS_SERVER} -lt 2 ]; then + return + fi + + MAIN_COMMAND=/usr/local/bin/${PROJECT_NAME} + if [ ! -f $MAIN_COMMAND ]; then + MAIN_COMMAND=/usr/bin/${PROJECT_NAME} + fi + + REPOS=($(cat ${MAIN_COMMAND} | grep "_REPO=\"" | uniq -u | sed 's|${PROJECT_NAME}|'"${PROJECT_NAME}"'|g')) + + for line in "${REPOS[@]}" + do + repo_name=$(echo "$line" | awk -F '=' '{print $1}') + mirrors_name=$(echo "$repo_name" | sed "s|_REPO||g" | awk '{print tolower($0)}') + friends_repo_url="ssh://mirrors@${FRIENDS_MIRRORS_SERVER}:${FRIENDS_MIRRORS_SSH_PORT}/home/mirrors/${mirrors_name}" + ${repo_name}="${friends_repo_url}" + done +} + +# A command to create a git repository for a project +function create_git_project { + if grep -Fxq "create_git_project" $COMPLETION_FILE; then + return + fi + apt-get -y install git + + echo '#!/bin/bash' > /usr/bin/$CREATE_GIT_PROJECT_COMMAND + echo '' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND + echo 'GIT_PROJECT_NAME=$1' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND + echo 'if [ ! $GIT_PROJECT_NAME ]; then' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND + echo ' echo "Please specify a project name, without any spaces"' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND + echo ' exit 1' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND + echo 'fi' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND + echo '' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND + echo 'if [ ! -d /home/$USER/projects/$GIT_PROJECT_NAME ]; then' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND + echo ' mkdir -p /home/$USER/projects/$GIT_PROJECT_NAME' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND + echo 'fi' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND + echo '' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND + echo 'cd /home/$USER/projects/$GIT_PROJECT_NAME' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND + echo 'git init --bare' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND + echo '' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND + echo -n 'echo "Your project has been created, ' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND + echo 'use the following command to clone the repository"' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND + echo -n " git clone ssh://$MY_USERNAME@$DEFAULT_DOMAIN_NAME:$SSH_PORT" >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND + echo '/home/$USER/projects/$GIT_PROJECT_NAME' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND + echo '' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND + echo 'exit 0' >> /usr/bin/$CREATE_GIT_PROJECT_COMMAND + chmod +x /usr/bin/$CREATE_GIT_PROJECT_COMMAND + + echo 'create_git_project' >> $COMPLETION_FILE +} + +function create_mirrors { + if [ -d /home/trove ]; then + userdel -r trove + fi + if grep -Fxq "create_mirrors" $COMPLETION_FILE; then + return + fi + ${PROJECT_NAME}-mirrors + echo 'create_mirrors' >> $COMPLETION_FILE +} + +# NOTE: deliberately no exit 0 diff --git a/src/freedombone-utils-rng b/src/freedombone-utils-rng new file mode 100755 index 00000000..8a8f5b31 --- /dev/null +++ b/src/freedombone-utils-rng @@ -0,0 +1,167 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# Random number generation functions +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# The type of hardware random number generator being used +# This can be empty, "beaglebone" or "onerng" +HWRNG_TYPE= + +# Download location for OneRNG driver +ONERNG_PACKAGE="onerng_3.4-1_all.deb" +ONERNG_PACKAGE_DOWNLOAD="https://github.com/OneRNG/onerng.github.io/blob/master/sw/$ONERNG_PACKAGE?raw=true" +# Hash for OneRNG driver +ONERNG_PACKAGE_HASH='78f1c2f52ae573e3b398a695ece7ab9f41868252657ea269f0d5cf0bd4f2eb59' + +# device name for OneRNG +ONERNG_DEVICE='ttyACM0' + +function check_hwrng { + if [[ $HWRNG_TYPE == "beaglebone" ]]; then + # If hardware random number generation was enabled then make sure that the device exists. + # if /dev/hwrng is not found then any subsequent cryptographic key generation would + # suffer from low entropy and might be insecure + if [ ! -e /dev/hwrng ]; then + ls /dev/hw* + echo $'The hardware random number generator is enabled but could not be detected on' + echo $'/dev/hwrng. There may be a problem with the installation or the Beaglebone hardware.' + exit 75 + fi + fi + + # If a OneRNG device was installed then verify its firmware + #check_onerng_verification +} + +function check_onerng_verification { + if grep -Fxq "check_onerng_verification" $COMPLETION_FILE; then + return + fi + if [[ $HWRNG_TYPE != "onerng" ]]; then + return + fi + echo $'Checking OneRNG firmware verification' + last_onerng_validation=$(cat /var/log/syslog.1 | grep "OneRNG: firmware verification" | awk '/./{line=$0} END{print line}') + if [[ $last_onerng_validation != *"passed OK"* ]]; then + last_onerng_validation=$(cat /var/log/syslog | grep "OneRNG: firmware verification" | awk '/./{line=$0} END{print line}') + if [[ $last_onerng_validation != *"passed OK"* ]]; then + echo $last_onerng_validation + echo $'OneRNG firmware verification failed' + exit 735026 + fi + fi + echo $'OneRNG firmware verification passed' + # if haveged was previously installed then remove it + apt-get -y remove haveged + echo 'check_onerng_verification' >> $COMPLETION_FILE +} + +function install_onerng { + apt-get -y install rng-tools at python-gnupg + + # Move to the installation directory + if [ ! -d $INSTALL_DIR ]; then + mkdir $INSTALL_DIR + fi + cd $INSTALL_DIR + + # Download the package + if [ ! -f $ONERNG_PACKAGE ]; then + wget $ONERNG_PACKAGE_DOWNLOAD + mv "$ONERNG_PACKAGE?raw=true" $ONERNG_PACKAGE + fi + if [ ! -f $ONERNG_PACKAGE ]; then + echo $"OneRNG package could not be downloaded" + exit 59249 + fi + + # Check the hash + hash=$(sha256sum $ONERNG_PACKAGE | awk -F ' ' '{print $1}') + if [[ $hash != $ONERNG_PACKAGE_HASH ]]; then + echo $"OneRNG package: $ONERNG_PACKAGE" + echo $"Hash does not match. This could indicate that the package has been tampered with." + echo $"OneRNG expected package hash: $ONERNG_PACKAGE_HASH" + echo $"OneRNG actual hash: $hash" + exit 25934 + fi + + # install the package + dpkg -i $ONERNG_PACKAGE + + # Check that the install worked + if [ ! -f /etc/onerng.conf ]; then + echo $'OneRNG configuration file not found. The package may not have installed successfully.' + exit 42904 + fi + + dialog --title $"OneRNG Device" \ + --msgbox $"Please plug in the OneRNG device" 6 40 + + # check rng-tools configuration + if ! grep -q "/dev/$ONERNG_DEVICE" /etc/default/rng-tools; then + echo "HRNGDEVICE=/dev/$ONERNG_DEVICE" >> /etc/default/rng-tools + fi + + systemctl restart rng-tools +} + +function random_number_generator { + if grep -Fxq "random_number_generator" $COMPLETION_FILE; then + return + fi + if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then + # it is assumed that docker uses the random number + # generator of the host system + return + fi + + # if the hrng type has not been set but /dev/hwrng is detected + if [[ $HWRNG_TYPE != "beaglebone" ]]; then + if [ -e /dev/hwrng ]; then + HWRNG_TYPE="beaglebone" + fi + fi + + case $HWRNG_TYPE in + beaglebone) + apt-get -y install rng-tools + sed -i 's|#HRNGDEVICE=/dev/hwrng|HRNGDEVICE=/dev/hwrng|g' /etc/default/rng-tools + ;; + onerng) + function_check install_onerng + install_onerng + ;; + *) + apt-get -y install haveged + ;; + esac + + echo 'random_number_generator' >> $COMPLETION_FILE +} + +# NOTE: deliberately no exit 0 diff --git a/src/freedombone-utils-setup b/src/freedombone-utils-setup new file mode 100755 index 00000000..d11e4420 --- /dev/null +++ b/src/freedombone-utils-setup @@ -0,0 +1,368 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# Setup functions +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# Different system variants which may be specified within +# the SYSTEM_TYPE option +VARIANT_FULL="full" +VARIANT_WRITER="writer" +VARIANT_CLOUD="cloud" +VARIANT_CHAT="chat" +VARIANT_MAILBOX="mailbox" +VARIANT_NONMAILBOX="nonmailbox" +VARIANT_SOCIAL="social" +VARIANT_MEDIA="media" +VARIANT_DEVELOPER="developer" +VARIANT_MESH="mesh" + +DEFAULT_DOMAIN_NAME= +DEFAULT_DOMAIN_CODE= +MY_USERNAME= +SYSTEM_TYPE=$VARIANT_FULL + +# An optional configuration file which overrides some of these variables +CONFIGURATION_FILE="${PROJECT_NAME}.cfg" + +# Directory where source code is downloaded and compiled +INSTALL_DIR=$HOME/build + +# device name for an attached usb drive +USB_DRIVE=/dev/sda1 + +# Location where the USB drive is mounted to +USB_MOUNT=/mnt/usb + +# Number of days to keep backups for +BACKUP_MAX_DAYS=30 + +# file containing a list of remote locations to backup to +# Format: [username@friendsdomain//home/username] [ssh_password] +# With the only space character being between the server and the password +FRIENDS_SERVERS_LIST=/home/$MY_USERNAME/backup.list + +export DEBIAN_FRONTEND=noninteractive + +# used to limit CPU usage +CPULIMIT='/usr/bin/cpulimit -l 20 -e' + +# command to create a git repository +CREATE_GIT_PROJECT_COMMAND='create-project' + +# File which keeps track of what has already been installed +COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt + +# log file where details of remote backups are stored +REMOTE_BACKUPS_LOG=/var/log/remotebackups.log + +# message if something fails to install +CHECK_MESSAGE="Check your internet connection, /etc/network/interfaces and /etc/resolv.conf, then delete $COMPLETION_FILE, run 'rm -fR /var/lib/apt/lists/* && apt-get update --fix-missing' and run this script again. If hash sum mismatches persist then try setting $DEBIAN_REPO to a different mirror and also change /etc/apt/sources.list." + +# Default diffie-hellman key length in bits +DH_KEYLENGTH=2048 + +function initial_setup { + if grep -Fxq "initial_setup" $COMPLETION_FILE; then + return + fi + + apt-get -y remove --purge apache* + apt-get -y dist-upgrade + apt-get -y install ca-certificates emacs24 cpulimit + apt-get -y install cryptsetup libgfshare-bin obnam sshpass wget + apt-get -y install avahi-daemon avahi-utils avahi-discover + apt-get -y install connect-proxy + + if [ ! -d $INSTALL_DIR ]; then + mkdir -p $INSTALL_DIR + fi + + echo 'initial_setup' >> $COMPLETION_FILE +} + +function search_for_attached_usb_drive { + # If a USB drive is attached then search for email, + # gpg, ssh keys and emacs configuration + if grep -Fxq "search_for_attached_usb_drive" $COMPLETION_FILE; then + return + fi + if [ -b $USB_DRIVE ]; then + if [ ! -d $USB_MOUNT ]; then + echo $'Mounting USB drive' + mkdir $USB_MOUNT + mount $USB_DRIVE $USB_MOUNT + fi + if ! [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" ]]; then + if [ -d $USB_MOUNT/Maildir ]; then + echo $'Maildir found on USB drive' + IMPORT_MAILDIR=$USB_MOUNT/Maildir + fi + if [ -d $USB_MOUNT/.gnupg ]; then + echo $'Importing GPG keyring' + cp -r $USB_MOUNT/.gnupg /home/$MY_USERNAME + chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.gnupg + GPG_KEYS_IMPORTED="yes" + if [ ! -f /home/$MY_USERNAME/.gnupg/secring.gpg ]; then + echo $'GPG files did not copy' + exit 73529 + fi + fi + + if [ -f $USB_MOUNT/.procmailrc ]; then + echo $'Importing procmail settings' + cp $USB_MOUNT/.procmailrc /home/$MY_USERNAME + chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.procmailrc + fi + + if [ -f $USB_MOUNT/private_key.gpg ]; then + echo $'GPG private key found on USB drive' + MY_GPG_PRIVATE_KEY=$USB_MOUNT/private_key.gpg + fi + if [ -f $USB_MOUNT/public_key.gpg ]; then + echo $'GPG public key found on USB drive' + MY_GPG_PUBLIC_KEY=$USB_MOUNT/public_key.gpg + fi + fi + if [ -d $USB_MOUNT/prosody ]; then + if [ ! -d $XMPP_DIRECTORY ]; then + mkdir $XMPP_DIRECTORY + fi + cp -r $USB_MOUNT/prosody/* $XMPP_DIRECTORY + chown -R prosody:prosody $XMPP_DIRECTORY + fi + if [ -d $USB_MOUNT/.ssh ]; then + echo $'Importing ssh keys' + cp -r $USB_MOUNT/.ssh /home/$MY_USERNAME + chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.ssh + # for security delete the ssh keys from the usb drive + if [ ! -f /home/$MY_USERNAME/.ssh/id_rsa ]; then + echo $'ssh files did not copy' + exit 8 + fi + fi + if [ -f $USB_MOUNT/.emacs ]; then + echo $'Importing .emacs file' + cp -f $USB_MOUNT/.emacs /home/$MY_USERNAME/.emacs + chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.emacs + fi + if [ -d $USB_MOUNT/.emacs.d ]; then + echo $'Importing .emacs.d directory' + cp -r $USB_MOUNT/.emacs.d /home/$MY_USERNAME + chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.emacs.d + fi + if [ -d $USB_MOUNT/ssl ]; then + echo $'Importing SSL certificates' + cp -r $USB_MOUNT/ssl/* /etc/ssl + chmod 640 /etc/ssl/certs/* + chmod 400 /etc/ssl/private/* + # change ownership of some certificates + if [ -d /etc/prosody ]; then + chown prosody:prosody /etc/ssl/private/xmpp.* + chown prosody:prosody /etc/ssl/certs/xmpp.* + fi + if [ -d /etc/dovecot ]; then + chown root:dovecot /etc/ssl/certs/dovecot.* + chown root:dovecot /etc/ssl/private/dovecot.* + fi + if [ -f /etc/ssl/private/exim.key ]; then + cp /etc/ssl/private/exim.key /etc/exim4 + cp /etc/ssl/certs/exim.crt /etc/exim4 + cp /etc/ssl/certs/exim.dhparam /etc/exim4 + chown root:Debian-exim /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam + chmod 640 /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam + fi + fi + if [ -d $USB_MOUNT/personal ]; then + echo $'Importing personal directory' + cp -r $USB_MOUNT/personal /home/$MY_USERNAME + chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/personal + fi + else + if [ -d $USB_MOUNT ]; then + umount $USB_MOUNT + rm -rf $USB_MOUNT + fi + echo $'No USB drive attached' + fi + echo 'search_for_attached_usb_drive' >> $COMPLETION_FILE +} + +function mark_admin_user_account { + if ! grep -q "Admin user:" $COMPLETION_FILE; then + echo "Admin user:$MY_USERNAME" >> $COMPLETION_FILE + fi +} + +function remove_instructions_from_motd { + sed -i '/## /d' /etc/motd +} + +function remove_default_user { + # make sure you don't use the default user account + if [[ $MY_USERNAME == "debian" ]]; then + echo 'Do not use the default debian user account. Create a different user with: adduser [username]' + exit 68 + fi + # remove the default debian user to prevent it from becoming an attack vector + if [ -d /home/debian ]; then + userdel -r debian + echo 'Default debian user account removed' + fi +} + +function setup_firewall { + configure_firewall + configure_firewall_ping + configure_firewall_for_dns + configure_firewall_for_avahi +} + +function setup_system { + read_configuration + set_default_onion_domains + locale_setup + parse_args + check_domains + install_static_network + remove_default_user + setup_firewall + create_repo_sources + configure_dns + initial_setup + install_tor + #resolve_dns_via_tor + install_command_line_browser + enable_ssh_via_onion + check_date + install_dynamicdns + randomize_cron + create_freedns_updater + mark_admin_user_account + enforce_good_passwords + install_editor + change_login_message + enable_zram + random_number_generator + set_your_domain_name + time_synchronisation_tlsdate + configure_internet_protocol + create_git_project + setup_wifi + configure_ssh + configure_ssh_onion + allow_ssh_to_onion_address + remove_instructions_from_motd + check_hwrng + search_for_attached_usb_drive + regenerate_ssh_keys + create_mirrors + create_upgrade_script + letsencrypt_renewals + install_watchdog_script + configure_avahi + create_avahi_onion_domains + #install_atheros_wifi + route_outgoing_traffic_through_tor +} + +function setup_mesh { + mesh_cjdns + mesh_cjdns_tools + mesh_batman + mesh_babel +} + +function setup_email { + configure_email + create_procmail + handle_admin_emails + spam_filtering + configure_imap + #configure_imap_client_certs + configure_gpg + refresh_gpg_keys + configure_backup_key + install_monkeysphere + encrypt_incoming_email + encrypt_outgoing_email + email_client + email_archiving + email_from_address + create_public_mailing_list + #create_private_mailing_list + encrypt_all_email + import_email +} + +function setup_web { + install_web_server + install_web_server_access_control +} + +function setup_apps { + install_zeronet + install_zeronet_blog + install_zeronet_mail + install_zeronet_forum + install_syncthing + upgrade_golang + install_gogs + install_xmpp + install_xmpp_client + install_tox_node + install_tox_client + tox_avahi + install_irc_server + install_irc_client + install_mumble + install_sip + update_sipwitch_daemon + install_wiki + install_sip_turn + install_blog + mark_blog_domain + install_gnu_social + expire_gnu_social_posts + install_gnu_social_theme + install_gnu_social_markdown + install_gnu_social_plugin_sharings + install_gnu_social_plugin_sharings_theme + install_rss_reader + install_rss_reader_gnusocial + install_rss_mobile_reader + install_hubzilla + #install_webmail + #install_search_engine + install_dlna_server + #install_mediagoblin + #install_ipfs + repair_databases_script + backup_to_friends_servers +} + +# NOTE: deliberately no exit 0 diff --git a/src/freedombone-utils-ssh b/src/freedombone-utils-ssh new file mode 100755 index 00000000..c5624fdf --- /dev/null +++ b/src/freedombone-utils-ssh @@ -0,0 +1,142 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# ssh functions +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +SSH_PORT=2222 + +# ssh (from https://stribika.github.io/2015/01/04/secure-secure-shell.html) +SSH_CIPHERS="chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr" +SSH_MACS="hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com" +SSH_KEX="curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256" +SSH_HOST_KEY_ALGORITHMS="ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-ed25519,ssh-rsa" + +function configure_ssh { + if grep -Fxq "configure_ssh" $COMPLETION_FILE; then + return + fi + sed -i "s/Port .*/Port $SSH_PORT/g" /etc/ssh/sshd_config + sed -i 's/PermitRootLogin.*/PermitRootLogin no/g' /etc/ssh/sshd_config + sed -i 's/X11Forwarding.*/X11Forwarding no/g' /etc/ssh/sshd_config + sed -i 's/ServerKeyBits.*/ServerKeyBits 4096/g' /etc/ssh/sshd_config + sed -i 's/TCPKeepAlive.*/TCPKeepAlive no/g' /etc/ssh/sshd_config + sed -i 's|HostKey /etc/ssh/ssh_host_dsa_key|#HostKey /etc/ssh/ssh_host_dsa_key|g' /etc/ssh/sshd_config + sed -i 's|HostKey /etc/ssh/ssh_host_ecdsa_key|#HostKey /etc/ssh/ssh_host_ecdsa_key|g' /etc/ssh/sshd_config + if ! grep -q 'DebianBanner' /etc/ssh/sshd_config; then + echo 'DebianBanner no' >> /etc/ssh/sshd_config + else + sed -i 's|DebianBanner.*|DebianBanner no|g' /etc/ssh/sshd_config + fi + if grep -q 'ClientAliveInterval' /etc/ssh/sshd_config; then + sed -i 's/ClientAliveInterval.*/ClientAliveInterval 60/g' /etc/ssh/sshd_config + else + echo 'ClientAliveInterval 60' >> /etc/ssh/sshd_config + fi + if grep -q 'ClientAliveCountMax' /etc/ssh/sshd_config; then + sed -i 's/ClientAliveCountMax.*/ClientAliveCountMax 3/g' /etc/ssh/sshd_config + else + echo 'ClientAliveCountMax 3' >> /etc/ssh/sshd_config + fi + if grep -q 'Ciphers' /etc/ssh/sshd_config; then + sed -i "s|Ciphers.*|Ciphers $SSH_CIPHERS|g" /etc/ssh/sshd_config + else + echo "Ciphers $SSH_CIPHERS" >> /etc/ssh/sshd_config + fi + if grep -q 'MACs' /etc/ssh/sshd_config; then + sed -i "s|MACs.*|MACs $SSH_MACS|g" /etc/ssh/sshd_config + else + echo "MACs $SSH_MACS" >> /etc/ssh/sshd_config + fi + if grep -q 'KexAlgorithms' /etc/ssh/sshd_config; then + sed -i "s|KexAlgorithms.*|KexAlgorithms $SSH_KEX|g" /etc/ssh/sshd_config + else + echo "KexAlgorithms $SSH_KEX" >> /etc/ssh/sshd_config + fi + + apt-get -y install fail2ban + + function_check configure_firewall_for_ssh + configure_firewall_for_ssh + echo 'configure_ssh' >> $COMPLETION_FILE +} + +# see https://stribika.github.io/2015/01/04/secure-secure-shell.html +function ssh_remove_small_moduli { + awk '$5 > 2000' /etc/ssh/moduli > ~/moduli + mv ~/moduli /etc/ssh/moduli +} + +function configure_ssh_client { + if grep -Fxq "configure_ssh_client" $COMPLETION_FILE; then + return + fi + #sed -i 's/# PasswordAuthentication.*/ PasswordAuthentication no/g' /etc/ssh/ssh_config + #sed -i 's/# ChallengeResponseAuthentication.*/ ChallengeResponseAuthentication no/g' /etc/ssh/ssh_config + sed -i "s/# HostKeyAlgorithms.*/ HostKeyAlgorithms $SSH_HOST_KEY_ALGORITHMS/g" /etc/ssh/ssh_config + sed -i "s/# Ciphers.*/ Ciphers $SSH_CIPHERS/g" /etc/ssh/ssh_config + sed -i "s/# MACs.*/ MACs $SSH_MACS/g" /etc/ssh/ssh_config + if ! grep -q "HostKeyAlgorithms" /etc/ssh/ssh_config; then + echo " HostKeyAlgorithms $SSH_HOST_KEY_ALGORITHMS" >> /etc/ssh/ssh_config + fi + sed -i "s/Ciphers.*/Ciphers $SSH_CIPHERS/g" /etc/ssh/ssh_config + if ! grep -q "Ciphers " /etc/ssh/ssh_config; then + echo " Ciphers $SSH_CIPHERS" >> /etc/ssh/ssh_config + fi + sed -i "s/MACs.*/MACs $SSH_MACS/g" /etc/ssh/ssh_config + if ! grep -q "MACs " /etc/ssh/ssh_config; then + echo " MACs $SSH_MACS" >> /etc/ssh/ssh_config + fi + + # Create ssh keys + if [ ! -f ~/.ssh/id_ed25519 ]; then + ssh-keygen -t ed25519 -o -a 100 + fi + if [ ! -f ~/.ssh/id_rsa ]; then + ssh-keygen -t rsa -b 4096 -o -a 100 + fi + + function_check ssh_remove_small_moduli + ssh_remove_small_moduli + echo 'configure_ssh_client' >> $COMPLETION_FILE +} + +function regenerate_ssh_keys { + if grep -Fxq "regenerate_ssh_keys" $COMPLETION_FILE; then + return + fi + rm -f /etc/ssh/ssh_host_* + dpkg-reconfigure openssh-server + + function_check ssh_remove_small_moduli + ssh_remove_small_moduli + + systemctl restart ssh + echo 'regenerate_ssh_keys' >> $COMPLETION_FILE +} + +# NOTE: deliberately no exit 0 diff --git a/src/freedombone-utils-time b/src/freedombone-utils-time new file mode 100755 index 00000000..d9b10d4e --- /dev/null +++ b/src/freedombone-utils-time @@ -0,0 +1,129 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# Time functions +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# Why use Google as a time source? +# The thinking here is that it's likely to be reliable and fast. +# The ping doesn't reveal any information other than that the server +# is running, and if anyone maliciously alters the time on Google's +# servers then that would certainly be newsworthy and they'd be +# likely to do something about it quickly. +# If you have better time sources then change them here. +TLS_TIME_SOURCE1="google.com" +TLS_TIME_SOURCE2="www.ptb.de" + +# Time synchronisation +TLSDATE_REPO="https://github.com/bashrc/tlsdate" +TLSDATE_COMMIT='505e31540eebde8074e7dc93b29be0d848def06a' + +function check_date { + curr_date=$(date) + if [[ $curr_date == *"1970"* ]]; then + apt-get -y install ntp + fi +} + +function time_synchronisation { + # mesh peers typically don't sync over the internet + if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + + if [ -f /usr/local/bin/${PROJECT_NAME}-update-date ]; then + cp /usr/local/bin/${PROJECT_NAME}-update-date /usr/bin/updatedate + else + cp /usr/bin/${PROJECT_NAME}-update-date /usr/bin/updatedate + fi + chmod +x /usr/bin/updatedate + + if grep -Fxq "time_synchronisation" $COMPLETION_FILE; then + return + fi + + apt-get -y install tlsdate + apt-get -y remove ntpdate + + function_check cron_add_mins + cron_add_mins 15 '/usr/bin/updatedate' + + systemctl restart cron + + echo 'time_synchronisation' >> $COMPLETION_FILE +} + +function time_synchronisation_tlsdate { + # mesh peers typically don't sync over the internet + if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + + if [ -f /usr/local/bin/${PROJECT_NAME}-update-date ]; then + cp /usr/local/bin/${PROJECT_NAME}-update-date /usr/bin/updatedate + else + cp /usr/bin/${PROJECT_NAME}-update-date /usr/bin/updatedate + fi + chmod +x /usr/bin/updatedate + + if [ ! -d $INSTALL_DIR ]; then + mkdir -p $INSTALL_DIR + fi + set_repo_commit $INSTALL_DIR/tlsdate "tlsdate commit" "$TLSDATE_COMMIT" $TLSDATE_REPO + + if grep -Fxq "time_synchronisation_tlsdate" $COMPLETION_FILE; then + return + fi + + apt-get -y remove tlsdate ntpdate + apt-get -y install build-essential autoconf libevent-dev + + cd $INSTALL_DIR + function_check git_clone + git_clone $TLSDATE_REPO $INSTALL_DIR/tlsdate + cd $INSTALL_DIR/tlsdate + git checkout $TLSDATE_COMMIT -b $TLSDATE_COMMIT + ./autogen.sh + ./configure + if [ ! "$?" = "0" ]; then + echo $'Unable to configure tlsdate' + exit 6825277 + fi + make + if [ ! "$?" = "0" ]; then + echo $'Unable to build tlsdate' + exit 3792726 + fi + make install + + function_check cron_add_mins + cron_add_mins 15 '/usr/bin/updatedate' + + echo 'time_synchronisation_tlsdate' >> $COMPLETION_FILE +} + +# NOTE: deliberately no exit 0 diff --git a/src/freedombone-utils-upgrade b/src/freedombone-utils-upgrade new file mode 100755 index 00000000..4eca8cac --- /dev/null +++ b/src/freedombone-utils-upgrade @@ -0,0 +1,50 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# Upgrading functions +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# name of a script used to upgrade the system +UPGRADE_SCRIPT_NAME="${PROJECT_NAME}-upgrade" + +function create_upgrade_script { + if [ -f /usr/local/bin/${PROJECT_NAME}-upgrade ]; then + cp /usr/local/bin/${PROJECT_NAME}-upgrade /etc/cron.weekly/$UPGRADE_SCRIPT_NAME + else + cp /usr/bin/${PROJECT_NAME}-upgrade /etc/cron.weekly/$UPGRADE_SCRIPT_NAME + fi + + if grep -Fxq "create_upgrade_script" $COMPLETION_FILE; then + return + fi + + apt-get -y install unattended-upgrades + + echo 'create_upgrade_script' >> $COMPLETION_FILE +} + +# NOTE: deliberately no exit 0 diff --git a/src/freedombone-utils-watchdog b/src/freedombone-utils-watchdog new file mode 100755 index 00000000..e0a97b76 --- /dev/null +++ b/src/freedombone-utils-watchdog @@ -0,0 +1,51 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# Watchdog functions to keep systems running even if they crash +# systemd itself may be able to handle this to a large extent +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# name of a script which keeps running processes going even if they crash +WATCHDOG_SCRIPT_NAME="keepon" + +function install_watchdog_script { + if grep -Fxq "install_watchdog_script" $COMPLETION_FILE; then + return + fi + echo '#!/bin/bash' > /usr/bin/$WATCHDOG_SCRIPT_NAME + echo 'LOGFILE=/var/log/keepon.log' >> /usr/bin/$WATCHDOG_SCRIPT_NAME + echo 'CURRENT_DATE=$(date)' >> /usr/bin/$WATCHDOG_SCRIPT_NAME + # application specific stuff is added later + chmod +x /usr/bin/$WATCHDOG_SCRIPT_NAME + + function_check cron_add_mins + cron_add_mins 1 '/usr/bin/$WATCHDOG_SCRIPT_NAME' + + echo 'install_watchdog_script' >> $COMPLETION_FILE +} + +# NOTE: deliberately no exit 0 diff --git a/src/freedombone-utils-web b/src/freedombone-utils-web new file mode 100755 index 00000000..213eadf0 --- /dev/null +++ b/src/freedombone-utils-web @@ -0,0 +1,551 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# Web related functions +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +# default search engine for command line browser +DEFAULT_SEARCH='https://searx.laquadrature.net' + +# This isn't used here, but is included for mirrors creation purposes +LETSENCRYPT_REPO="https://github.com/letsencrypt/letsencrypt" + +# Whether Let's Encrypt is enabled for all sites +LETSENCRYPT_ENABLED="no" +LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory' + +# list of encryption protocols +SSL_PROTOCOLS="TLSv1 TLSv1.1 TLSv1.2" + +# list of ciphers to use. See bettercrypto.org recommendations +SSL_CIPHERS="EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA" + +NGINX_ENSITE_REPO="https://github.com/perusio/nginx_ensite" +NGINX_ENSITE_COMMIT='fa4d72ce1c0a490442c8474e9c8dc21ed52c93d0' + +# memory limit for php in MB +MAX_PHP_MEMORY=64 + +# logging level for Nginx +WEBSERVER_LOG_LEVEL='warn' + +# test a domain name to see if it's valid +function validate_domain_name { + # count the number of dots in the domain name + dots=${TEST_DOMAIN_NAME//[^.]} + no_of_dots=${#dots} + if (( $no_of_dots > 3 )); then + TEST_DOMAIN_NAME=$"The domain $TEST_DOMAIN_NAME has too many subdomains. It should be of the type w.x.y.z, x.y.z or y.z" + fi + if (( $no_of_dots == 0 )); then + TEST_DOMAIN_NAME=$"The domain $TEST_DOMAIN_NAME has no top level domain. It should be of the type w.x.y.z, x.y.z or y.z" + fi +} + +function nginx_disable_sniffing { + domain_name=$1 + filename=/etc/nginx/sites-available/$domain_name + echo ' add_header X-Frame-Options DENY;' >> $filename + echo ' add_header X-Content-Type-Options nosniff;' >> $filename + echo '' >> $filename +} + +function nginx_limits { + domain_name=$1 + max_body='20m' + if [ $2 ]; then + max_body=$2 + fi + filename=/etc/nginx/sites-available/$domain_name + echo " client_max_body_size ${max_body};" >> $filename + echo ' client_body_buffer_size 128k;' >> $filename + echo '' >> $filename + echo ' limit_conn conn_limit_per_ip 10;' >> $filename + echo ' limit_req zone=req_limit_per_ip burst=10 nodelay;' >> $filename + echo '' >> $filename +} + +function nginx_http_redirect { + # redirect port 80 to https + domain_name=$1 + filename=/etc/nginx/sites-available/$domain_name + echo 'server {' > $filename + echo ' listen 80;' >> $filename + echo ' listen [::]:80;' >> $filename + echo " server_name ${domain_name};" >> $filename + echo " root /var/www/${domain_name}/htdocs;" >> $filename + echo ' access_log off;' >> $filename + echo " error_log /var/log/nginx/${domain_name}_error.log $WEBSERVER_LOG_LEVEL;" >> $filename + function_check nginx_limits + nginx_limits $domain_name + echo ' rewrite ^ https://$server_name$request_uri? permanent;' >> $filename + echo '}' >> $filename + echo '' >> $filename +} + +function nginx_ssl { + # creates the SSL/TLS section for a website + domain_name=$1 + filename=/etc/nginx/sites-available/$domain_name + echo ' ssl on;' >> $filename + echo " ssl_certificate /etc/ssl/certs/${domain_name}.crt;" >> $filename + echo " ssl_certificate_key /etc/ssl/private/${domain_name}.key;" >> $filename + echo " ssl_dhparam /etc/ssl/certs/${domain_name}.dhparam;" >> $filename + echo '' >> $filename + echo ' ssl_session_timeout 60m;' >> $filename + echo ' ssl_prefer_server_ciphers on;' >> $filename + echo " ssl_protocols $SSL_PROTOCOLS;" >> $filename + echo " ssl_ciphers '$SSL_CIPHERS';" >> $filename +} + +# check an individual domain name +function test_domain_name { + if [ $1 ]; then + TEST_DOMAIN_NAME=$1 + function_ckeck validate_domain_name + validate_domain_name + if [[ $TEST_DOMAIN_NAME != $1 ]]; then + echo $TEST_DOMAIN_NAME + exit 8528 + fi + fi +} + +# Checks whether certificates were generated for the given hostname +function check_certificates { + if [ ! $1 ]; then + return + fi + USE_LETSENCRYPT='no' + if [ $2 ]; then + USE_LETSENCRYPT=$2 + fi + if [[ $USE_LETSENCRYPT == 'no' ]]; then + if [ ! -f /etc/ssl/private/$1.key ]; then + echo $"Private certificate for $CHECK_HOSTNAME was not created" + exit 63959 + fi + if [ ! -f /etc/ssl/certs/$1.crt ]; then + echo $"Public certificate for $CHECK_HOSTNAME was not created" + exit 7679 + fi + else + if [ ! -f /etc/letsencrypt/live/${1}/privkey.pem ]; then + echo $"Private certificate for $CHECK_HOSTNAME was not created" + exit 6282 + fi + if [ ! -f /etc/letsencrypt/live/${1}/fullchain.pem ]; then + echo $"Public certificate for $CHECK_HOSTNAME was not created" + exit 5328 + fi + fi + if [ ! -f /etc/ssl/certs/$1.dhparam ]; then + echo $"Diffie–Hellman parameters for $CHECK_HOSTNAME were not created" + exit 5989 + fi +} + +function create_site_certificate { + SITE_DOMAIN_NAME="$1" + + # if yes then only "valid" certs are allowed, not self-signed + NO_SELF_SIGNED='no' + if [ $2 ]; then + NO_SELF_SIGNED="$2" + fi + + if [[ $ONION_ONLY == "no" ]]; then + if [ ! -f /etc/ssl/certs/$SITE_DOMAIN_NAME.dhparam ]; then + if [[ $LETSENCRYPT_ENABLED != "yes" ]]; then + ${PROJECT_NAME}-addcert -h $SITE_DOMAIN_NAME --dhkey $DH_KEYLENGTH + function_check check_certificates + check_certificates $SITE_DOMAIN_NAME + else + ${PROJECT_NAME}-addcert -e $SITE_DOMAIN_NAME -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH --email $MY_EMAIL_ADDRESS + if [ ! "$?" = "0" ]; then + if [[ $NO_SELF_SIGNED == 'no' ]]; then + echo $"Lets Encrypt failed for $SITE_DOMAIN_NAME, so try making a self-signed cert" + ${PROJECT_NAME}-addcert -h $SITE_DOMAIN_NAME --dhkey $DH_KEYLENGTH + function_check check_certificates + check_certificates $SITE_DOMAIN_NAME + else + echo $"Lets Encrypt failed for $SITE_DOMAIN_NAME" + exit 682529 + fi + else + function_check check_certificates + check_certificates $SITE_DOMAIN_NAME 'yes' + fi + fi + fi + fi +} + +# script to automatically renew any Let's Encrypt certificates +function letsencrypt_renewals { + if [[ $ONION_ONLY != "no" ]]; then + return + fi + + renewals_script=/etc/cron.monthly/letsencrypt + renewals_retry_script=/etc/cron.daily/letsencrypt + renewal_failure_msg=$'The certificate for $LETSENCRYPT_DOMAIN could not be renewed' + renewal_email_title=$'${PROJECT_NAME} Lets Encrypt certificate renewal' + + # the main script tries to renew once per month + echo '#!/bin/bash' > $renewals_script + echo '' >> $renewals_script + echo "PROJECT_NAME='${PROJECT_NAME}'" >> $renewals_script + echo 'COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt' >> $renewals_script + echo '' >> $renewals_script + echo 'if [ -d /etc/letsencrypt ]; then' >> $renewals_script + echo ' if [ -f ~/letsencrypt_failed ]; then' >> $renewals_script + echo ' rm ~/letsencrypt_failed' >> $renewals_script + echo ' fi' >> $renewals_script + echo -n ' ADMIN_USERNAME=$(cat $COMPLETION_FILE | grep "Admin user" | ' >> $renewals_script + echo -n "awk -F ':' '{print " >> $renewals_script + echo -n '$2' >> $renewals_script + echo "}')" >> $renewals_script + echo ' ADMIN_EMAIL_ADDRESS=$ADMIN_USERNAME@$HOSTNAME' >> $renewals_script + echo ' for d in /etc/letsencrypt/live/*/ ; do' >> $renewals_script + echo -n ' LETSENCRYPT_DOMAIN=$(echo "$d" | ' >> $renewals_script + echo -n "awk -F '/' '{print " >> $renewals_script + echo -n '$5' >> $renewals_script + echo "}')" >> $renewals_script + echo ' if [ -f /etc/nginx/sites-available/$LETSENCRYPT_DOMAIN ]; then' >> $renewals_script + echo ' ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt' >> $renewals_script + echo ' if [ ! "$?" = "0" ]; then' >> $renewals_script + echo " echo \"${renewal_failure_msg}\" > ~/temp_renewletsencrypt.txt" >> $renewals_script + echo ' echo "" >> ~/temp_renewletsencrypt.txt' >> $renewals_script + echo ' ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt 2>> ~/temp_renewletsencrypt.txt' >> $renewals_script + echo -n " cat ~/temp_renewletsencrypt.txt | mail -s \"${renewal_email_title}\" " >> $renewals_script + echo '$ADMIN_EMAIL_ADDRESS' >> $renewals_script + echo ' rm ~/temp_renewletsencrypt.txt' >> $renewals_script + echo ' if [ ! -f ~/letsencrypt_failed ]; then' >> $renewals_script + echo ' touch ~/letsencrypt_failed' >> $renewals_script + echo ' fi' >> $renewals_script + echo ' fi' >> $renewals_script + echo ' fi' >> $renewals_script + echo ' done' >> $renewals_script + echo 'fi' >> $renewals_script + chmod +x $renewals_script + + # a secondary script keeps trying to renew after a failure + echo '#!/bin/bash' > $renewals_retry_script + echo '' >> $renewals_retry_script + echo "PROJECT_NAME='${PROJECT_NAME}'" >> $renewals_retry_script + echo 'COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt' >> $renewals_retry_script + echo '' >> $renewals_retry_script + echo 'if [ -d /etc/letsencrypt ]; then' >> $renewals_retry_script + echo ' if [ -f ~/letsencrypt_failed ]; then' >> $renewals_retry_script + echo ' rm ~/letsencrypt_failed' >> $renewals_retry_script + echo -n ' ADMIN_USERNAME=$(cat $COMPLETION_FILE | grep "Admin user" | ' >> $renewals_retry_script + echo -n "awk -F ':' '{print " >> $renewals_retry_script + echo -n '$2' >> $renewals_retry_script + echo "}')" >> $renewals_retry_script + echo ' ADMIN_EMAIL_ADDRESS=$ADMIN_USERNAME@$HOSTNAME' >> $renewals_retry_script + echo ' for d in /etc/letsencrypt/live/*/ ; do' >> $renewals_retry_script + echo -n ' LETSENCRYPT_DOMAIN=$(echo "$d" | ' >> $renewals_retry_script + echo -n "awk -F '/' '{print " >> $renewals_retry_script + echo -n '$5' >> $renewals_retry_script + echo "}')" >> $renewals_retry_script + echo ' if [ -f /etc/nginx/sites-available/$LETSENCRYPT_DOMAIN ]; then' >> $renewals_retry_script + echo ' ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt' >> $renewals_retry_script + echo ' if [ ! "$?" = "0" ]; then' >> $renewals_retry_script + echo " echo \"${renewal_failure_msg}\" > ~/temp_renewletsencrypt.txt" >> $renewals_retry_script + echo ' echo "" >> ~/temp_renewletsencrypt.txt' >> $renewals_retry_script + echo ' ${PROJECT_NAME}-renew-cert -h $LETSENCRYPT_DOMAIN -p letsencrypt 2>> ~/temp_renewletsencrypt.txt' >> $renewals_retry_script + echo -n " cat ~/temp_renewletsencrypt.txt | mail -s \"${renewal_email_title}\" " >> $renewals_retry_script + echo '$ADMIN_EMAIL_ADDRESS' >> $renewals_retry_script + echo ' rm ~/temp_renewletsencrypt.txt' >> $renewals_retry_script + echo ' if [ ! -f ~/letsencrypt_failed ]; then' >> $renewals_retry_script + echo ' touch ~/letsencrypt_failed' >> $renewals_retry_script + echo ' fi' >> $renewals_retry_script + echo ' fi' >> $renewals_retry_script + echo ' fi' >> $renewals_retry_script + echo ' done' >> $renewals_retry_script + echo ' fi' >> $renewals_retry_script + echo 'fi' >> $renewals_retry_script + chmod +x $renewals_retry_script +} + +function configure_php { + sed -i "s/memory_limit = 128M/memory_limit = ${MAX_PHP_MEMORY}M/g" /etc/php5/fpm/php.ini + sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g' /etc/php5/fpm/php.ini + sed -i "s/memory_limit = -1/memory_limit = ${MAX_PHP_MEMORY}M/g" /etc/php5/cli/php.ini + sed -i "s/upload_max_filesize = 2M/upload_max_filesize = 50M/g" /etc/php5/fpm/php.ini + sed -i "s/post_max_size = 8M/post_max_size = 50M/g" /etc/php5/fpm/php.ini +} + +function install_web_server_access_control { + if [ ! -f /etc/pam.d/nginx ]; then + echo '#%PAM-1.0' > /etc/pam.d/nginx + echo '@include common-auth' >> /etc/pam.d/nginx + echo '@include common-account' >> /etc/pam.d/nginx + echo '@include common-session' >> /etc/pam.d/nginx + fi +} + +function install_dynamicdns { + if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + if [[ $ONION_ONLY != "no" ]]; then + return + fi + + # update to the next commit + function_check set_repo_commit + set_repo_commit $INSTALL_DIR/inadyn "inadyn commit" "$INADYN_COMMIT" $INADYN_REPO + + if grep -Fxq "install_dynamicdns" $COMPLETION_FILE; then + return + fi + + # Here we compile from source because the current package + # doesn't support https, which could result in passwords + # being leaked + # Debian version 1.99.4-1 + # https version 1.99.8 + + apt-get -y install build-essential curl libgnutls28-dev automake1.11 + if [ ! -d $INSTALL_DIR/inadyn ]; then + git_clone $INADYN_REPO $INSTALL_DIR/inadyn + fi + if [ ! -d $INSTALL_DIR/inadyn ]; then + echo 'inadyn repo not cloned' + echo -n | openssl s_client -showcerts -connect github.com:443 -CApath /etc/ssl/certs + exit 6785 + fi + cd $INSTALL_DIR/inadyn + git checkout $INADYN_COMMIT -b $INADYN_COMMIT + if ! grep -q "inadyn commit" $COMPLETION_FILE; then + echo "inadyn commit:$INADYN_COMMIT" >> $COMPLETION_FILE + else + sed -i "s/inadyn commit.*/inadyn commit:$INADYN_COMMIT/g" $COMPLETION_FILE + fi + + ./configure + if [ ! "$?" = "0" ]; then + exit 74890 + fi + USE_OPENSSL=1 make + if [ ! "$?" = "0" ]; then + exit 74858 + fi + make install + if [ ! "$?" = "0" ]; then + exit 3785 + fi + + # create an unprivileged user + #useradd -r -s /bin/false debian-inadyn + + # create a configuration file + echo 'background' > /etc/inadyn.conf + echo 'verbose 1' >> /etc/inadyn.conf + echo 'period 300' >> /etc/inadyn.conf + echo 'startup-delay 60' >> /etc/inadyn.conf + echo 'cache-dir /run/inadyn' >> /etc/inadyn.conf + echo 'logfile /dev/null' >> /etc/inadyn.conf + chmod 600 /etc/inadyn.conf + + echo '[Unit]' > /etc/systemd/system/inadyn.service + echo 'Description=inadyn (DynDNS updater)' >> /etc/systemd/system/inadyn.service + echo 'After=network.target' >> /etc/systemd/system/inadyn.service + echo '' >> /etc/systemd/system/inadyn.service + echo '[Service]' >> /etc/systemd/system/inadyn.service + echo 'ExecStart=/usr/local/sbin/inadyn --config /etc/inadyn.conf' >> /etc/systemd/system/inadyn.service + echo 'Restart=always' >> /etc/systemd/system/inadyn.service + echo 'Type=forking' >> /etc/systemd/system/inadyn.service + echo '' >> /etc/systemd/system/inadyn.service + echo '[Install]' >> /etc/systemd/system/inadyn.service + echo 'WantedBy=multi-user.target' >> /etc/systemd/system/inadyn.service + systemctl enable inadyn + systemctl start inadyn + systemctl daemon-reload + + echo 'install_dynamicdns' >> $COMPLETION_FILE +} + +function install_web_server { + if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" ]]; then + return + fi + + # update to the next commit + function_check set_repo_commit + set_repo_commit $INSTALL_DIR/nginx_ensite "Nginx-ensite commit" "$NGINX_ENSITE_COMMIT" $NGINX_ENSITE_REPO + + if grep -Fxq "install_web_server" $COMPLETION_FILE; then + return + fi + # remove apache + apt-get -y remove --purge apache2 + if [ -d /etc/apache2 ]; then + rm -rf /etc/apache2 + fi + # install nginx + apt-get -y install nginx php5-fpm git + + # limit the number of php processes + sed -i 's/; process.max =.*/process.max = 32/g' /etc/php5/fpm/php-fpm.conf + #sed -i 's/;process_control_timeout =.*/process_control_timeout = 300/g' /etc/php5/fpm/php-fpm.conf + + if ! grep -q "pm.max_children" /etc/php5/fpm/php-fpm.conf; then + echo 'pm.max_children = 10' >> /etc/php5/fpm/php-fpm.conf + echo 'pm.start_servers = 2' >> /etc/php5/fpm/php-fpm.conf + echo 'pm.min_spare_servers = 2' >> /etc/php5/fpm/php-fpm.conf + echo 'pm.max_spare_servers = 5' >> /etc/php5/fpm/php-fpm.conf + echo 'pm.max_requests = 50' >> /etc/php5/fpm/php-fpm.conf + fi + + if [ ! -d /etc/nginx ]; then + echo $"ERROR: nginx does not appear to have installed. $CHECK_MESSAGE" + exit 51 + fi + + # Nginx settings + echo 'user www-data;' > /etc/nginx/nginx.conf + #echo "worker_processes; $CPU_CORES" >> /etc/nginx/nginx.conf + echo 'pid /run/nginx.pid;' >> /etc/nginx/nginx.conf + echo '' >> /etc/nginx/nginx.conf + echo 'events {' >> /etc/nginx/nginx.conf + echo ' worker_connections 50;' >> /etc/nginx/nginx.conf + echo ' # multi_accept on;' >> /etc/nginx/nginx.conf + echo '}' >> /etc/nginx/nginx.conf + echo '' >> /etc/nginx/nginx.conf + echo 'http {' >> /etc/nginx/nginx.conf + echo ' # limit the number of connections per single IP' >> /etc/nginx/nginx.conf + echo ' limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;' >> /etc/nginx/nginx.conf + echo '' >> /etc/nginx/nginx.conf + echo ' # limit the number of requests for a given session' >> /etc/nginx/nginx.conf + echo ' limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=140r/s;' >> /etc/nginx/nginx.conf + echo '' >> /etc/nginx/nginx.conf + echo ' # if the request body size is more than the buffer size, then the entire (or partial) request body is written into a temporary file' >> /etc/nginx/nginx.conf + echo ' client_body_buffer_size 128k;' >> /etc/nginx/nginx.conf + echo '' >> /etc/nginx/nginx.conf + echo ' # headerbuffer size for the request header from client, its set for testing purpose' >> /etc/nginx/nginx.conf + echo ' client_header_buffer_size 3m;' >> /etc/nginx/nginx.conf + echo '' >> /etc/nginx/nginx.conf + echo ' # maximum number and size of buffers for large headers to read from client request' >> /etc/nginx/nginx.conf + echo ' large_client_header_buffers 4 256k;' >> /etc/nginx/nginx.conf + echo '' >> /etc/nginx/nginx.conf + echo ' # read timeout for the request body from client, its set for testing purpose' >> /etc/nginx/nginx.conf + echo ' client_body_timeout 3m;' >> /etc/nginx/nginx.conf + echo '' >> /etc/nginx/nginx.conf + echo ' # how long to wait for the client to send a request header, its set for testing purpose' >> /etc/nginx/nginx.conf + echo ' client_header_timeout 3m;' >> /etc/nginx/nginx.conf + echo '' >> /etc/nginx/nginx.conf + echo ' ##' >> /etc/nginx/nginx.conf + echo ' # Basic Settings' >> /etc/nginx/nginx.conf + echo ' ##' >> /etc/nginx/nginx.conf + echo '' >> /etc/nginx/nginx.conf + echo ' sendfile on;' >> /etc/nginx/nginx.conf + echo ' tcp_nopush on;' >> /etc/nginx/nginx.conf + echo ' tcp_nodelay on;' >> /etc/nginx/nginx.conf + echo ' keepalive_timeout 65;' >> /etc/nginx/nginx.conf + echo ' types_hash_max_size 2048;' >> /etc/nginx/nginx.conf + echo ' server_tokens off;' >> /etc/nginx/nginx.conf + echo '' >> /etc/nginx/nginx.conf + echo ' # server_names_hash_bucket_size 64;' >> /etc/nginx/nginx.conf + echo ' # server_name_in_redirect off;' >> /etc/nginx/nginx.conf + echo '' >> /etc/nginx/nginx.conf + echo ' include /etc/nginx/mime.types;' >> /etc/nginx/nginx.conf + echo ' default_type application/octet-stream;' >> /etc/nginx/nginx.conf + echo '' >> /etc/nginx/nginx.conf + echo ' ##' >> /etc/nginx/nginx.conf + echo ' # Logging Settings' >> /etc/nginx/nginx.conf + echo ' ##' >> /etc/nginx/nginx.conf + echo '' >> /etc/nginx/nginx.conf + echo ' access_log /var/log/nginx/access.log;' >> /etc/nginx/nginx.conf + echo ' error_log /var/log/nginx/error.log;' >> /etc/nginx/nginx.conf + echo '' >> /etc/nginx/nginx.conf + echo ' ###' >> /etc/nginx/nginx.conf + echo ' # Gzip Settings' >> /etc/nginx/nginx.conf + echo ' ##' >> /etc/nginx/nginx.conf + echo ' gzip on;' >> /etc/nginx/nginx.conf + echo ' gzip_disable "msie6";' >> /etc/nginx/nginx.conf + echo '' >> /etc/nginx/nginx.conf + echo ' # gzip_vary on;' >> /etc/nginx/nginx.conf + echo ' # gzip_proxied any;' >> /etc/nginx/nginx.conf + echo ' # gzip_comp_level 6;' >> /etc/nginx/nginx.conf + echo ' # gzip_buffers 16 8k;' >> /etc/nginx/nginx.conf + echo ' # gzip_http_version 1.1;' >> /etc/nginx/nginx.conf + echo ' # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;' >> /etc/nginx/nginx.conf + echo '' >> /etc/nginx/nginx.conf + echo ' ##' >> /etc/nginx/nginx.conf + echo ' # Virtual Host Configs' >> /etc/nginx/nginx.conf + echo ' ##' >> /etc/nginx/nginx.conf + echo '' >> /etc/nginx/nginx.conf + echo ' include /etc/nginx/conf.d/*.conf;' >> /etc/nginx/nginx.conf + echo ' include /etc/nginx/sites-enabled/*;' >> /etc/nginx/nginx.conf + echo '}' >> /etc/nginx/nginx.conf + + # install a script to easily enable and disable nginx virtual hosts + if [ ! -d $INSTALL_DIR ]; then + mkdir $INSTALL_DIR + fi + cd $INSTALL_DIR + function_check git_clone + git_clone $NGINX_ENSITE_REPO $INSTALL_DIR/nginx_ensite + cd $INSTALL_DIR/nginx_ensite + git checkout $NGINX_ENSITE_COMMIT -b $NGINX_ENSITE_COMMIT + if ! grep -q "Nginx-ensite commit" $COMPLETION_FILE; then + echo "Nginx-ensite commit:$NGINX_ENSITE_COMMIT" >> $COMPLETION_FILE + else + sed -i "s/Nginx-ensite commit.*/Nginx-ensite commit:$NGINX_ENSITE_COMMIT/g" $COMPLETION_FILE + fi + + make install + nginx_dissite default + + function_check configure_firewall_for_web_access + configure_firewall_for_web_access + + echo 'install_web_server' >> $COMPLETION_FILE +} + +function install_command_line_browser { + if grep -Fxq "install_command_line_browser" $COMPLETION_FILE; then + return + fi + apt-get -y install elinks + + # set the home page + if ! grep -q "WWW_HOME" /home/$MY_USERNAME/.bashrc; then + if ! grep -q 'control' /home/$MY_USERNAME/.bashrc; then + echo "export WWW_HOME=$DEFAULT_SEARCH" >> /home/$MY_USERNAME/.bashrc + else + sed -i "/control/i export WWW_HOME=$DEFAULT_SEARCH" /home/$MY_USERNAME/.bashrc + fi + fi + + echo 'install_command_line_browser' >> $COMPLETION_FILE +} + +# NOTE: deliberately no exit 0 diff --git a/src/freedombone-utils-wifi b/src/freedombone-utils-wifi new file mode 100755 index 00000000..caf43bf5 --- /dev/null +++ b/src/freedombone-utils-wifi @@ -0,0 +1,133 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# Wifi functions + +# License +# ======= +# +# Copyright (C) 2015-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +WIFI_CHANNEL=2 +WIFI_INTERFACE=wlan0 +WIFI_TYPE='wpa2-psk' +WIFI_SSID= +WIFI_PASSPHRASE= +WIFI_HOTSPOT='no' +WIFI_NETWORKS_FILE=~/${PROJECT_NAME}-wifi.cfg + +# repo for atheros AR9271 wifi driver +ATHEROS_WIFI_REPO="https://github.com/qca/open-ath9k-htc-firmware.git" + +function setup_wifi { + if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then + return + fi + if [ ! $WIFI_SSID ]; then + return + fi + if [ ${#WIFI_SSID} -lt 2 ]; then + return + fi + if grep -Fxq "setup_wifi" $COMPLETION_FILE; then + return + fi + + HOTSPOT='no' + if [[ $WIFI_HOTSPOT != 'no' ]]; then + HOTSPOT='yes' + fi + + if [ -f $WIFI_NETWORKS_FILE ]; then + ${PROJECT_NAME}-wifi -i $WIFI_INTERFACE --networks $WIFI_NETWORKS_FILE + echo 'setup_wifi' >> $COMPLETION_FILE + return + fi + + if [[ $WIFI_TYPE != 'none' ]]; then + if [ ! $WIFI_PASSPHRASE ]; then + echo $'No wifi passphrase was given' + return + fi + if [ ${#WIFI_PASSPHRASE} -lt 2 ]; then + echo $'Wifi passphrase was too short' + return + fi + ${PROJECT_NAME}-wifi -i $WIFI_INTERFACE -s $WIFI_SSID -t $WIFI_TYPE -p $WIFI_PASSPHRASE --hotspot $HOTSPOT --networks $WIFI_NETWORKS_FILE + else + ${PROJECT_NAME}-wifi -i $WIFI_INTERFACE -s $WIFI_SSID -t $WIFI_TYPE --hotspot $HOTSPOT --networks $WIFI_NETWORKS_FILE + fi + echo 'setup_wifi' >> $COMPLETION_FILE +} + +# ath9k_htc driver +function install_atheros_wifi { + if grep -Fxq "install_atheros_wifi" $COMPLETION_FILE; then + return + fi + if [ $INSTALLING_ON_BBB != "yes" ]; then + return + fi + if [[ $ENABLE_BABEL != "yes" && $ENABLE_BATMAN != "yes" && $ENABLE_CJDNS != "yes" ]]; then + return + fi + if [ -d $INSTALL_DIR/open-ath9k-htc-firmware ]; then + return + fi + # have drivers already been installed ? + if [ -f /lib/firmware/htc_9271.fw ]; then + return + fi + apt-get -y install build-essential cmake git m4 texinfo + if [ ! -d $INSTALL_DIR ]; then + mkdir -p $INSTALL_DIR + fi + cd $INSTALL_DIR + if [ ! -d $INSTALL_DIR/open-ath9k-htc-firmware ]; then + function_check git_clone + git_clone $ATHEROS_WIFI_REPO $INSTALL_DIR/open-ath9k-htc-firmware + if [ ! "$?" = "0" ]; then + rm -rf $INSTALL_DIR/open-ath9k-htc-firmware + exit 74283 + fi + fi + cd $INSTALL_DIR/open-ath9k-htc-firmware + git checkout 1.4.0 + make toolchain + if [ ! "$?" = "0" ]; then + rm -rf $INSTALL_DIR/open-ath9k-htc-firmware + exit 24820 + fi + make firmware + if [ ! "$?" = "0" ]; then + rm -rf $INSTALL_DIR/open-ath9k-htc-firmware + exit 63412 + fi + cp target_firmware/*.fw /lib/firmware/ + if [ ! "$?" = "0" ]; then + exit 74681 + fi + echo 'install_atheros_wifi' >> $COMPLETION_FILE +} + +# NOTE: deliberately no exit 0 diff --git a/src/freedombone-utils-zram b/src/freedombone-utils-zram new file mode 100755 index 00000000..38336791 --- /dev/null +++ b/src/freedombone-utils-zram @@ -0,0 +1,46 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# zram functions +# +# License +# ======= +# +# Copyright (C) 2014-2016 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +function enable_zram { + if grep -Fxq "enable_zram" $COMPLETION_FILE; then + return + fi + + if [[ $INSTALLED_WITHIN_DOCKER == "yes" || $INSTALLING_ON_BBB != "yes" ]]; then + ${PROJECT_NAME}-zram off + return + fi + + ${PROJECT_NAME}-zram on + + echo 'enable_zram' >> $COMPLETION_FILE +} + +# NOTE: deliberately no exit 0